How to Make Password Policies Actually Work

Passwords are one of the most basic yet essential components of cyber-security.

If your organisation lacks strong passwords, you’re opening yourself up to attack. In fact, weak, default or stolen passwords are at least partially responsible for 63 percent of all confirmed data breaches.  

So the natural response of administrators is to rev up password security and make them as complex as possible. But this can create problems and isn’t always practical.

After all, people naturally forget things. Expecting someone to remember multiple long winded passwords with a ridiculous combination of upper and lowercase letters, numbers and symbols can be overly ambitious.

And if they take shortcuts like writing passwords down on a sheet of paper, an Excel spreadsheet or even worse, a cloud-based platform, your entire network could be compromised.

So how do you make password policies actually work and meet your security standards without creating an unnecessary burden on your employees?

Here are some ideas.

Ensure Passwords Meet Minimum Complexity Requirements…

Complex passwords are a double-edged sword. On one hand, creating incredibly complex passwords keeps hackers at bay and decreases your odds of suffering a data breach.

But on the other hand, it can be difficult for your employees to remember them, especially if they’re using multiple passwords throughout the day. This also increases their chances of creating shortcuts, which actually hurts your digital security in the long run.

So the trick is to find a happy medium between requiring insanely complex passwords and being lax about it.

You’ll certainly want to have your employees create passwords that meet minimum complexity requirements. However, you don’t want to be so stringent that it does more harm than good.

But Be Realistic About It

In other words, those requirements shouldn’t become burdensome. If it gets to the point that your employees are having trouble remembering their passwords and it distracts them from doing their jobs, then it’s a problem.

So what types of requirements should you have in place?

The University of Connecticut School of Business provides a good example of what solid password complexity requirements look like.

  • Must not contain the user’s account name or more than two consecutive characters from the user’s full name
  • Must be at least eight characters long
  • Must contain characters from three of the following four categories
    • Uppercase letters
    • Lowercase letters
    • Numerical digits
    • Symbols
  • Can’t reuse any of the 24 previous passwords

Requirements like these should ensure a high level of security but aren’t so complex as to create friction among your staff.

But if it had to be at least 16 characters long with an uppercase letter, lowercase letter, a number, a symbol, no two consecutive letters or numbers, etc., you can pretty much guarantee that your employees are going to have difficulty.

So it’s all about finding the right balance.

Ideally, your team members will choose strong passwords that meet the necessary criteria. But you won’t be so demanding and inflexible that it negates the impact of password optimization where your employees end up taking dangerous shortcuts.

Put Limits on Maximum Password Age

A big part of developing effective password policies is to set a maximum password age before it expires and must be replaced with a new one. While there is no definitive age limit, most experts agree that switching passwords once every 90 days is a good number to shoot for.

That tends to be sufficient for deterring hackers. 45 or even 30 days is technically better, but it’s extremely difficult to continually come up with a new password in this time-frame. So what happens is that people end up using a variant of a single password or writing their passwords down—neither of which is good for security.

But 90 days is a bit more feasible. There’s just one problem.

It’s still a fairly frequent basis, and you can bet that at least a percentage of your employees will forget to change their password every 90 days.

Notify Employees Via Email Before Their Passwords Expire

You can prevent this problem and streamline the entire process by automatically sending email notifications shortly before a password expires. This way your employees won’t have to think about it, which makes their lives easier.

So if you incorporate a 90 day maximum password age into your policy, you can do it with minimal strife. Your team members will know when it’s time to change without a lot of fuss on their end.

Use a Password Manager

Another way to simplify things for your team members while still ensuring strong passwords is to use a password manager. This type of tool has come a long way in recent years and is now used by countless SMBs.

It basically acts as a digital safe that helps keep a person’s passwords secure, while at the same time keeping things uncomplicated. Rather than having to retype passwords every time an employee logs into one of their accounts, most password managers will autocomplete the username and password for them. And if they run into an issue, they can enter their master password.

While this isn’t a magic bullet and still comes with some element of risk, many SMBs find them to be quite useful and they can make your team’s lives a lot easier.

It benefits your employees because they don’t have to remember complex passwords. Instead, the tool automatically enters their passwords for them as they move from site to site, platform to platform.

Besides that, a password manager tends to expedite the login process where usernames and passwords are instantly populated without employees having to manually fill in the information. They can seamlessly get into wherever they need and be more productive.

It also benefits your company because you can use stronger passwords that may not be possible otherwise. You could potentially increase the minimum complexity requirements without creating any issues for your staff.

It’s really a win-win.

For a list of the top password managers of 2018, check out this resource from PC Magazine.

Consider Using Multi-Factor Authentication

“Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login,” explains technical writer and author Margaret Rouse of TechTarget.

“MFA combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification),” she adds.

It’s a security technique that many organisations are pushing for, and understandably so. It creates an additional layer of security that’s difficult for cyber criminals to get around no matter how smart they may be.

If you feel that traditional password policies on their own are insufficient, this is certainly a type of technology worth considering. With weak passwords being the root cause behind so many data breaches, this is a great way to give your company an edge.

The only thing that holds some businesses back is a fear of resistance from employees because of the perceived level of inconvenience. And this is understandable. Team members don’t want to be hassled and go through a gauntlet of steps just to log into their accounts.

But here’s the thing. MFA doesn’t have to have to be bothersome.

There are several ways to go about it that don’t require employees to complete onerous actions like entering the code from a text they receive in addition to filling out a password. You can now choose from far more efficient (and secure) options.

For instance, you can use biometric factors such as a fingerprint reader, or facial or voice recognition. There’s also a location factor, which limits logins to a particular geographical location or specific devices. So if someone is using an unrecognized ISP, they won’t be permitted to login.

As long as there’s no major inconvenience involved with the process, most employees should be fairly receptive to MFA, and it’s something you can implement for easy added security.

A Practical Approach to Password Policies

In an perfect world, each employee would have a unique password for every single account, with it being so complex that it’s nearly impossible to guess. They would never take shortcuts and write passwords down on an external source. And they would painstakingly protect their passwords, switching them out every 90 days without you even having to ask.

But this just isn’t a realistic expectation. People aren’t machines, and you can only expect so much from your team members—something that should be taken into account when developing password policies.

While asking your employees to create multiple passwords that are insanely complex along with taking other dramatic measures would certainly increase cybersecurity, it’s simply not practical.

So what you need to do is meet them halfway.

The strategies listed here should enable you to create password policies in a way that’s conducive to heightened security, while still taking the human element into account.

Have you had any issues with your existing password policies? Please let us know what your experience has been like:


Image Credits

Featured image: Pexels / Pixabay

In-post image 1: TheDigitalWay / Pixabay

In-post image 2: Pexels / Pixabay

Ajay Unni

Ajay Unni is the Founder and Chief Executive Officer of Stickman. Ajay specialises in helping customers manage the growing threat of data breaches and compliance with globally accepted industry standards for data security and compliance. More articles by Ajay Unni

Take charge of your cybersecurity today, with Stickman.

Get in Touch