Time for A Rethink on Your Password Policies

If you own a business, you will appreciate the need to close all your windows and lock your doors when you finish work for the night. Leave anything open and you are asking for trouble. Someone will come along in the dead of night, access your premises, and will steal everything of value.

The same is true in the digital world. Everything must be protected because if you leave anything open, your digital assets will be stolen. In order to gain access to digital assets, passwords are required. A unique password must be set for all accounts, and the password must be long and complex to resist brute force password guessing attacks.

Employers set password policies and then let their employees choose their own passwords, but if a password was required for physical access, employers would not leave that important task to their employees. Would you allow your employees to create their own keys to access the premises? Of course not. Yet that is exactly what most employers do in the digital world.

The result? Employees set passwords that meet the minimum requirements for complexity but are actually incredibly weak. The following passwords meet the minimum complexity requirements of at least one upper- and lower-case letter, a number, and a symbol, yet they could be guessed almost instantly:

  • Password1!
  • PW123456?
  • Qwerty123*

If you want to ensure your digital assets are protected, why not make 100% sure by generating long and complex passwords for your employees that truly match your requirements for password complexity? There is naturally a good reason why this isn’t a best practice that has been adopted by most businesses, and that is that employees need to be able to remember passwords. If you generate random 12-character passwords including letters, numbers, and symbols, your employees wouldn’t be able to remember them. However, today, employees don’t need to remember their passwords and never need to enter them. Password managers store passwords securely in an encrypted password vault, and autofill them whenever they are required. There is no need for employees to remember them or type them.

Another important benefit of password managers is phishing protection. Phishing is the most common method of gaining access to business networks. Phishing emails are sent to employees that are often very convincing and trick them into visiting a website where they are required to log in using their credentials. The phishing web pages are incredibly convincing and are carbon copies of the sites they spoof. If you visit one of these websites, a password manager will not autofill the login credentials as the password in the vault will not match the domain.

If you want to improve security, it’s time for a rethink on your password policies and if you do not yet provide a password manager for your employees, now is the time to provide one.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news