Four ways to make end users love password security (or at least tolerate it).

When end users find their organization’s security measures burdensome or frustrating, it can significantly increase the risk of insider threats. Gartner revealed that 69% of employees have disregarded their organization’s cybersecurity guidance in the past year. This doesn’t mean they’re setting out to create risk, it usually means they simply want to get on with their jobs and see cybersecurity measures as an unnecessary hassle.  

Can cybersecurity and user experience go together?  

Passwords are a great example of cybersecurity and user experience clashing. LastPass research found that an average employee can deal with a staggering 191 different logins. It can be overwhelming to remember and rotate so many passwords. As a result, they also reported that 61% of surveyed employees admit to reusing passwords as an attempt to cope – despite also admitting they understand the security ramifications. This level of password reuse puts organizations at huge risk.  

So how can IT teams improve password security, knowing that their user base is already jaded, frustrated, and willing to prioritize convenience? Getting rid of passwords completely isn’t a feasible option for most organizations, so the key is to find effective security practices that can also offer a good user experience. We’ll run through four of the best ways to get end users onboard with your access security efforts. 

1. Passphrases for strong, easy-to-remember passwords 

Hackers use brute force techniques to rapidly try many different passwords in succession, in an attempt to crack a user’s password. They often combine these techniques with dictionaries of known weak passwords and keyboard walks commonly chosen by end users. Shorter and less complex passwords are far more vulnerable to this method of password cracking, so it’s standard advice to create longer passwords with some complexity.  

However, this creates a headache for end users who now need to remember many long, complex passwords of ideally 15 characters and above. One way to make things easier for them is to encourage the use of passphrases over passwords. A passphrase is three or more random words joined together, like ‘Patient-Skylight-Angelfish’. Adding some character swaps and misspelling one of the words would make the password even stronger. This would also be far easier to remember than a string of random letters and numbers of a similar length.  

Password length isn’t everything – it doesn’t fully protect credentials from compromise. But increasing the length of your end users’ passwords will offer a solid foundation of defense against the brute force techniques used by attackers. Passphrases are a great way to get end users to create longer passwords without increasing their mental burden.   

2. Dynamic feedback during passwords resets  

Asking an employee to create a new password can make them feel as though they’re staring at a blank page. What should they choose? What’s considered long enough? What other dos and don’ts from their security and awareness training need to be factored into the process? It’s especially frustrating to finally decide on a new password and then get a ‘computer says no’ style message that doesn’t even tell them what they did wrong. 

No one should feel as though they’re on their own when they’re taking steps that contribute to the security of their entire organization and its customers. Providing dynamic password feedback during password creation is not only an education opportunity, but also instantly validates whether the password is aligned with the policy requirements. People can see in real-time whether their new password fits with their organization’s policy and if it doesn’t, they can see why not and fix it quickly.  

You can see the difference below between a standard Windows password reset screen and the dynamic password reset screen available to Specops Password Policy and uReset customers. One leads to inevitable frustration, while the other gives end users a feeling of working alongside their organization as a team for better security.  

Specops Authentication Client
Specops Authentication Client 

3. Length-based password ageing  

Nobody enjoys their work being interrupted for a password change. However, never-expire passwords can offer opportunities for hackers, so expiries are still used by organizations who don’t have the ability to continuously scan for breached passwords. So why not turn a potentially negative user experience into an opportunity? 

Length-based ageing gives end users a choice. They can make a password that only just meets the organization’s length requirement, but they’ll have to change it in 90 days. Or they can increase the password length and wait longer, maybe 180 days, for their password to expire.  

Rather than everyone experiencing an arbitrary forced password reset every 90 days, length-based ageing rewards people who choose longer passwords with a longer expiration period. This strikes a better balance between improving security while also promoting usability among the people who need to manage their passwords. 

4. Continuous monitoring for breached passwords 

The methods we’ve seen so far are effective for guiding end users towards creating strong passwords, plus giving them more visibility and understanding into their organization’s password policies. However, even strong passwords can become compromised and you can never be 100% confident people within your organization aren’t reusing passwords. There needs to be a way to detect breached passwords within your Active Directory and close down potential attack routes. 

Some solutions check passwords against lists of breached credentials during expiry or reset events, but this can leave significant gaps of time where you remain vulnerable. Alternatively, Specops Password Policy offers continuous scans for the Specops Breached Password Protection service. This tool finds breached passwords daily, instead of only at password change or reset events. The Breached Password Protection database of over 4 billion is updated with newly discovered password leaks, passwords collected by our honeypot network system, and research from our Threat Intelligence team. 

If an organization has continuous scanning in place, they could have even longer gaps to password expiry, safe in the knowledge that their Active Directory is being automatically scanned for breached passwords daily. This would be welcome news for end users. If they are discovered to be using a breached password, they’ll be notified by a customizable email and/or SMS message requesting they change their password. And most importantly, this reduces the risk of the worst potential password-related experience for both end users and employers – dealing with a breach and its repercussions.  

Improve password security and user experience  

Passwords don’t need to be a source of frustration with the right tools. Specops Password Policy offers features such as passphrase enforcement, dynamic feedback at password change events, length-based ageing, and continuous scanning of your Active Directory for breached passwords. Speak to an expert about how Specops Password Policy could fit in with your organization and support your end users.  

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • [New research] Do longer passwords protect you from compromise?

    The Specops Breached Password Protection Database Now Tops Over 4 Billion Unique Compromised Passwords We’re sharing some new findings from the Specops research team about password length and how it can still be circumvented by attackers. These findings coincide with the latest addition of 10.2 million passwords to the Specops Breached Password Protection service, which now…

    Read More
  • Introducing Dynamic Feedback at Password Change

    Specops Software announced today the latest release of Specops Password Policy, 7.6, and the Specops Authentication Client, 7.15. This release introduces many new features, including dynamic feedback for end users at password change. With this release, users will now see feedback on the new passwords they choose at the Ctrl+Alt+Delete password change screen.  “We’re excited about this release because it’s delivering on something we love to…

    Read More
  • Never expire passwords? Why we shouldn’t ditch password expiry just yet.  

    Resetting passwords via service desk tickets and support calls is an everyday burden on IT teams. Users are equally frustrated when the ‘time to change your password’ notification pops up during a busy work day – especially when they realize they can’t simply add ‘!’ to the end of their old password. But despite IT…

    Read More