Passwords are something we are all familiar with using. We know them like a phone number or a home address. They have become a vital piece of our lives as they protect our bank accounts, social media accounts, and business services. All of which have become essential to functioning in our ever-growing technology-rich world.
Yet time and time again, we see breaches all over the news. The accounts we rely on end up being utilized by criminal actors. Sixty-one percent of breaches occurred through the use of compromised credentials, per the Verizon 2021 Data Breach Investigations Report. There are hurdles with developing a password policy. Yet, through the cooperation of both your security team and employees, you can establish a password policy. One of the first questions that should be answered for any organization when it comes to passwords is what are the requirements?
Passwords for any account should contain at least eight characters, ideally, more than eight. Some time ago, the standard wisdom was that complexity made your password secure. Meaning that ‘[email protected]$$WerD!” is more secure than “Password”. However, NIST (National Institute of Standards and Technology) recommends against using complexity as the leading factor, per their Special Publication 800-63 revision 3. Instead, it recommends using length over complexity; because users would choose short passwords to facilitate memorization and ease of entry. However, this does not entirely disregard complexity as being essential. A mixture of both length and complexity is the preferred standard.
One defense that used to be recommended, but is now considered bad practice, is password rotation. Essentially, an organization would have its employees create new passwords after a few months. However, it was discovered to create password fatigue. Employees would get burned out and do the minimum to fulfill their changing of a password. In practice, ‘SecretPassword1’ would become ‘SecretPassw0rd1!’. This would not help the organization as an already compromised or weak password will be utilized by criminal actors if the change is that small. These weaknesses also apply to internal resources, so servers in the Cloud or on-premise or other resources that are not accessible over the Internet.
The chain is only as strong as its weakest link. Communication between the security team and the rest of the organization is paramount. Employees may have questions that can lead to a better understanding of why password policies are essential.
R.A.D. Security can help your organization gain that understanding. Through our robust and tailored training programs, we can create an awareness of security problems that will make your employees more resilient in the evolving world of technology.
For more information on how we can help, please contact us.