Password policy mistakes

Taking a pass on passwords? Not so fast

(Last updated on September 26, 2019)

News headlines of data breaches serve as constant reminders of the risks associated with passwords. While more and more industry standards and best practice guidelines are recommending multi-factor authentication, the majority of organizations still solely rely on password based authentication. Even those who bear the responsibility of protecting the network, 86% of system administrators in the UK rely on username and password when accessing their main business account onsite, according to this research by Vanson Bourne and Intercede. Are they at least making this single layer as strong as it can be? The same research indicates that 17% of them use simple password. Such poor password practices seem to be a global occurrence. This survey conducted with 750 global IT professionals by Cyberpark shows that 40% of organizations store admin passwords in Word or Excel documents.

Password pitfalls to avoid

Many predictions have been made about passwords becoming obsolete, but the reality is that passwords are still the main form of authentication today. And while passwords are inherently weak, your organization’s security parameters don’t have to be – as long as you avoid these password pitfalls:

  • No password policy or not enforced. Some organizations don’t have any password policy in place because they believe enforcing any complexity rules would drive up their password reset calls. As for the organizations that do have a password policy, 65% of them don’t strictly enforce it, according to the 2016 State of Cybersecurity in Small & Medium-Sized Businesses report by Ponemon Institute. These organizations are playing the security game of Russian roulette and will one day take a bullet when they’re breached.
  • Poor password policy. Users gravitate towards passwords that are weak because they are easy to remember, but they can’t do so unless you let them. If your policy only requires capitalization and a number, users are likely to create something as simple as Password1. Allowing short passwords with minimum complexity, and the use of common or incremental words, leads to the creation of weak passwords. These vulnerabilities can be easily exploited by hackers.
  • Too many complexity requirements. Having too many complexity requirements, not only frustrates users, but  also gives organizations a false sense of security. Few people can remember a long password consisting of all four character sets, resulting in frequent calls to the helpdesk. It’s counterproductive and the cost to maintain it is high. Some may resort to writing down their passwords to avoid the tiresome password retrieval process.

Face the (ugly) truth

Before you can make any improvements, it is important to know where your organization stands on password security. A good starting point is figuring out what password policies are, or are not, enforced in your environment. Specops Password Auditor is a free tool that scans Active Directory for various security-related weaknesses specifically related to password policies. The collected information is used to generate multiple interactive reports containing user and password policy information. The tool is especially helpful for those organizations bound to compliance requirements as the password settings in your organization are measures against industry standards. You can get your free scan here.

Back to Blog