Many believed that the use of passwords would by now have become a thing of the past, with more secure and alternative forms of user authentication taking their place. However, despite increasing use of biometric identification such as fingerprint and facial recognition tools for some devices, the humble password still remains the common form of user ID for most business systems.
Various sources reporting on the analysis of data security breaches, indicate that a large percentage are caused through the compromise of user passwords and the associated costs to business quite staggering.
So, is the answer to enforce regular password changes?
Current opinion from the likes of Microsoft, NIST and the dropping of password changes from the NCSC’s Cyber Essentials standard, suggests not. Regular changes it is suggested, have negative impact on staff, productivity, increase costs and do not appear to have been effective in reducing password security.
The issue which repeatedly causes security issues, is businesses approach to password integrity and strength. Too often users are allowed to select ‘weak’ passwords, share them freely with colleagues and in some cases even display them on their PCs!!
So, what is the solution?
Adoption of a password hardening strategy, will enhance the security posture of the business and help drive home its importance to staff. This can be achieved through the implementation of various measures, which business can consider as part of their policy:
- Enforce strong password selection through organisational & systems policy
- Passwords to be minimum 8 characters & include letters, numbers & symbols
- Enforce unique passwords for all users – no shared access to applications
- No re-use of old passwords or same passwords for differing applications
- No use of consecutively repeating characters
- Audit password strength periodically
- Conduct physical audits of user workstations
- Employ random password generators
- Issue passwords to staff – remove the risk of poor selection
- Enforce password changes if compromise suspected or weakness identified
Don’t let poor password policy be the weak link in your security chain!