When client says “It doesn’t matter if my password is weak”
(Last updated on December 21, 2016)
Have you exposed poor password practices during a penetration test only to get the following responses?
- It doesn’t matter if the password is weak for X account since it’s not used for anything important
- We don’t need strong passwords since we don’t have anything bad guys would want anyway
- My password is strong enough if the system lets me use it
These are the very clients that need to worry about data breaches. According to the 2016 Data Breach Investigations Report from Verizon, 63% of confirmed data breaches leverage a weak, default, or stolen password. Such passwords not only open organizations up to attacks, but also subjects them to compliance violations. Industry compliance standards such as PCI, HIPAA and SOX all include recommendations or regulations regarding password policy.
If your clients don’t understand the importance of password security, they’re unlikely to implement any of your password recommendations. Here are some resources to help them understand the various compliance standards and their requirements on password security:
- PCI password security checklist
- SOX password compliance: Not taking it seriously can be costly
- Will you pass a HIPAA audit?
- [Whitepaper] Compliance and beyond: Future-proofing your password policy
- [Infographic] Simplifying password recommendations
You can also bring attention to the cost implications of a data breach. According to the 2016 Ponemon Institute Cost of a Data Breach Study, the average cost of a data breach is $4 million. Furthermore, the cost incurred for each lost or stolen record containing sensitive and confidential information is $158 million.
With industry standards constantly in flux and new threats being introduced, it is critical to implement a solution that enforces password compliance, and best practices. Specops Password Policy can be configured to block common passwords or any dictionary list so users won’t have the option to choose weak passwords. Are you concerned that users won’t be able to pick a password they can remember? Don’t be. Specops Password Policy supports passphrases which gives administrators the flexibility to increase password length. You can now create a powerful, yet simple, password policy: if the password is shorter than the minimum length set for passphrases, the standard length and complexity rules apply – if not, the passphrase requirements kick in.