We live in a world full of policy, etiquette, regulation, and law, that provides a written and sometimes unwritten framework for codes of conduct that are deemed acceptable or unacceptable in our society.
However, having rules in place does not guarantee compliance. It is for this reason that we have police forces, armies, industry watchdogs, regulators, peer pressure, and more to help ensure the rules are followed, and in the main, as a society, we are very good at obeying orders. Consider how most of us adhered to strict lockdown rules during the pandemic, and despite queues stretching for many miles, people took their place in line and waited to pay their respects to Her Majesty Queen Elizabeth during her lying-in-state.
However, there are instances where we may be more willing to bend the rules, especially if we perceive a victimless crime. Passwords are a good example. A lot of organisations have a password policy, but many employees do not adhere to the rules, with passwords not being changed as frequently as required, the necessary format not being followed, the same passwords being used for multiple accounts, and the sharing of login credentials.
Yet, for those who diligently do the right thing, there can still be a problem if the policy itself is not fit for purpose. Earlier in the Summer, it was reported that Shopify required a password to be of at least five characters. However, research of breached passwords revealed that 99.7% of the passwords met Shopify’s requirements.
This case is far from surprising, given that many password policies in use today can be as much as 25 years old, despite guidance from bodies such as NIST. The world has moved on and the threat landscape has changed. Phishing attacks were not around when many of these policies were created, but today they pose one of the single largest cybersecurity risks.
Part of the problem is what has long been a ‘strong’ and ‘secure’ password is no longer the case. A combination of upper and lowercase and special characters only makes passwords harder to remember and not stronger. No matter how complex a password is, if a bad guy has the password, they have access. With this in mind, the foundation of any password policy must be to ensure that breached passwords are not in use with an organisation. The use of multi-factor authentication (a username, password, and another credential such as a pattern, PIN, or biometric for example) also has an important role to play, however, the first step is to have a password management solution in place that automatically detects breached passwords and ensures that it is immediately changed with a new password that conforms to the latest NIST recommendations.
Think of it as password policing rather than policy, a method for both prevention and enforcement. Passwords are far from the ideal authentication solution and the policies that have long governed them have done little to improve the situation. Organisations are beginning their journeys towards passwordless alternatives, but it will take time for this to be the norm. Until then it is vital that we create an environment in which they can be used with the highest level of assurance.