How to create an Enterprise Password Policy that gets used
January 6th, 2017
Humans are fascinating creatures, and the way we think is intriguing and drives many career paths. But what does the human brain have to do with Security? And most importantly, what does it have to do with Password Policies? Understanding how the human brain works (at a high level) helps understand the best Password Policy for your organization.
Humans are fallible: we make mistakes and we forget things. In fact, the human brain is completely wired to forget as much as possible. Can you imagine what it would be like if you remembered every single detail, of every second, of every day, of your entire life? It would be complete overload and we wouldn’t be able to handle it well!
So how do we deal with forgetting? We create shortcuts
Humans create mental and physical shortcuts, whenever possible in order to retain as much information as possible.
So if humans are great at forgetting, and really good at creating shortcuts, then why do we ask them to create unique and exceedingly complex passwords? Do you see the conundrum here? We ask our employees to create complex passwords, that they will forget, and require them to create shortcuts in order to remember and use.
These shortcuts are seen all the time:
• Writing the password down on a notepad or Excel
• Using the same password in multiple locations
• Following a pattern for consecutive password changes (going from Password1! to Password2! makes it easy to guess what your next password will be)
• Sharing a single password among multiple people
And all of these shortcuts lead to insecure practices, which easily lead to a compromised infrastructure.
So how do we create an Enterprise Password Policy that gets used?
1. Take the human element out of it whenever you can – Use a password manager that doesn’t require a user to remember their password to login to sensitive systems. (You can compare a few password managers here.)
2. Remove unnecessary password rotations – I’m going to have to side with the NIST’s proposed password security policy changes coming up on this one. Your organization should practice strong password policy, but forcing a user to pick a new password themselves leads to things like patterns in passwords. Now, if you have a password manager, then automatic rotation is just fine, because there is no downside to this practice when a piece of software is handling it.
3. Be careful with overly complex requirements – Remember, the harder you make something to remember, the faster your employees will make shortcuts to remember those passwords. If your password policy requires a capital letter, lower case letter, special character, a number, no two consecutive letters or numbers, and 12 characters long – there is no way I’m going to remember that password. Never. Ever.
4. Two Factor Authentication – Two Factor Authentication (2FA) needs to become a mandatory requirement in anything that requires a password, with an alerting system when a password is attempted without 2FA (early signs of password compromise). Personally, I’ve had numerous accounts saved from breach due to 2FA. There aren’t too many ways to get around this one for attackers. And honestly, their time is better spent trying to go after accounts that don’t have 2FA.
5. Don’t think like an Admin – What will the average employee do? Yes, they should protect their passwords. Yes, they should be all unique. Yes, they should make them hard to guess.
But will they? There are always two sides: what we should be doing, and what we will do. Which is why I refer back to number 1…
Take the Human Element out of the equation
Have your existing password policies lead your employees to choose insecure or weak passwords? Download our Weak Password Finder Tool to find out. You will receive a quick summary letting you know how many passwords in active directory are found in common dictionaries, non-unique, or using legacy algorithms to protect them. Don’t have a password policy in place?
Check out this free Privileged Password Security Policy Template.
And when you’re ready to remove that human element, we encourage you to explore our two solutions that help organizations enforce strong policies: Thycotic Secret Server for enterprise password management and Password Reset Server for self-service password resets.