On today’s episode of #CoffeeWithKampas, EMPIST Founder & CEO John Kampas is discussing what goes into a good password policy. According to the 2019 Verizon Data breach report, 81% of hacking-related breaches are linked to poor passwords, and 70% of users reuse passwords. Where do you line up?
Hi, this is John Kampas, Founder and CEO of EMPIST. According to the 2019 Verizon Data breach report, 81% of hacking-related breaches are linked to poor passwords, and 70% of users reuse passwords. That’s why on today’s Coffee with Kampas, I want to talk to you about what goes into a good password policy. I get asked about this a lot, and my opinion on it has changed a bit over the years.
The first aspect of a password policy that most people ask about is how often you should be requiring users to change their passwords. The answer to this might actually surprise you. Major manufacturers including Microsoft and Apple agree that there is very little benefit to forcing periodic password changes. Back in 2017, the National Institute of Standards and Technology, or NIST, stated that users should no longer be required to change passwords arbitrarily. Instead, they should only be asked to change a password when there is evidence of a compromise.
You might be asking yourself, “how can that be?” Well, think about what you usually do when you’re asked to change a password. Maybe you change that last 8 to a 9, switch around some capitalization, or if you’re feeling crazy, even add an exclamation point. You’re not alone here. When forced to change passwords frequently, most users tend to make predictable alterations rather than thinking of an entirely new password. This makes the new passwords easily guessable and vulnerable to compromise.
The fact is, a simple password is not a very secure method of protecting your systems and information, but a complex password is difficult to remember and might hinder everyday productivity. If your password policy is too complex and requires passwords to be changed frequently, passwords could become hard to remember, forcing users to write them down instead. This is a big security risk.
So, what can be done about this? Here are some of things I recommend you do to build out a strong password policy:
First, review your current password policy. This will help you understand the whole picture and identify what needs to be changed or updated.
Next, document the types of systems that require password authentication.
You should also consider deploying a Single Sign On solution to reduce the number of passwords your users need to remember.
I also recommend implementing failed login detection and protection methods on your network.
Lastly, conduct security awareness training to teach your users how to create secure passwords.
Ideally your password policy is also combined with Multi-factor authentication, or MFA. MFA is important because it acts as another line of defense in addition to a password. Where a password is something you know, MFA is something you would have (such as your mobile phone).
I don’t recommend ditching your policy entirely, but consider how frequently you require password changes. Your goal should be to configure a policy that will mitigate the security risks while maintaining high employee productivity.
If you need any help creating a good password policy, please don’t hesitate to contact me directly.