Most corporate password policies don’t work because they are old-fashioned. Our experience is that most organisations layer in additional authentication over time but have policies that are counterproductive to security.
Here are a few examples:
- Allowing the option of one-factor authentication
- Allowing old and previously compromised passwords to be used
- Allowing common passwords to be used
- Requiring password complexity with special characters and randomisation
Some of these counterproductive measures may surprise you. In particular, the one regarding password complexity appears counterproductive itself. Surely more complexity means more security? This is true, but it makes passwords impossible to remember and this can lead to bad practices like writing passwords down.
The truth is that enforcing old-fashioned password complexity rules makes passwords weaker. It leads people to using predictable workarounds to game algorithms, such as using their first name or common words and number strings.
Password best practices
There are five screens to creating strong passwords:
- Don’t use dictionary words
- Don’t use repetitive or sequential characters (e.g. 12345 or bbbbb)
- Don’t use context-specific words, like the username or website name
- Check passwords against breach records using a service like Have I Been Pwned
There are also three best practices when creating passwords:
- Use at least 8 characters
- Consider using up to 64 characters if possible
- If you have the option, don’t use special characters if it makes your password impossible to remember
Use a password manager
You can make it easy for workers to follow password rules with a password manager. Password managers automatically create longer more complex passwords for each managed credential. Users only need to remember a single passphrase across all login areas, so it makes life easier and keeps devices secure.
Enable two-factor authentication
Two factor authentication (2FA) comes in a few forms. You can have 2FA via text message, 2FA via an authenticator app like Google Authenticator, and 2FA via details that are unique to the user, such as fingerprint login and face recognition.
2FA is considered best-practice and most apps now require it, including PayPal, banking apps, crypto apps and other sensitive apps.
2FA is effective at keeping accounts safe. The least secure type is text message 2FA because it’s possible for a thief to have access to passwords and text messages on a single device. It would be impossible for that same thief to use your fingerprint.
Summing up
Corporate password policies need to make it as easy as possible for people to follow the rules. Archaic practices like randomised strings and special characters introduce complexity that is inconvenient for the user and easily bypassed. Password managers and 2FA are the simplest solutions for maximising convenience and security at the same time.