Originally Published January 2021
Updated September 2023
At least one password you’ve used over the course of your life has been compromised.
That’s true of everyone, and that’s why we put password policies in place: to keep passwords – and the information they guard – secure.
But could your current password policy be hindering your data security efforts?
In today’s blog, we cover different factors to consider and provide password policy questions your organization should consider.
The Problem with Traditional Password Policies
Traditional password policies typically involve setting rules for password complexity. This might include requirements such as using a mix of upper and lower case letters, numbers and special characters, as well as mandating regular password changes.
While these policies were designed with good intentions, they can lead to unintended consequences:
- Complexity Breeds Predictability: Ironically, forcing users to create complex passwords often results in them resorting to patterns that are easy to remember, but also easy for attackers to guess.
- Frequent Changes Decrease Security: Regular password changes can lead to “password fatigue,” where users end up writing down passwords or using slight variations, ultimately reducing security.
- Burden on Users: Remembering multiple complex passwords across various platforms can overwhelm users, leading them to use the same password across multiple accounts or rely on insecure methods.
The Rise of Password-Less Authentication
Given the challenges associated with traditional password policies, many organizations are exploring alternatives, such as password-less authentication.
This approach replaces passwords with more secure and convenient methods, such as biometrics (fingerprint, facial recognition), hardware tokens or mobile-based authentication.
Check out a few advantages of password-less authentication:
- Enhanced Security: Biometrics and hardware tokens offer stronger protection against phishing, brute-force attacks and password leaks.
- User Experience: Password-less methods simplify the authentication process, reducing user frustration and the likelihood of security shortcuts.
- Reduced Support Costs: With fewer password-related issues, IT teams can save time and resources.
Finding the Right Balance
While password-less authentication offers compelling advantages, it might not be a one-size-fits-all solution.
Organizations need to evaluate their unique needs, user demographics and risk factors. Hybrid approaches that combine password-less methods with traditional ones might be more suitable in some cases.
Tips for Modern Authentication Strategy
- Assess Risk: Understand your organization’s threat landscape and consider implementing stronger authentication methods for critical systems and data.
- User Education: Regardless of the approach, educate users about cybersecurity best practices and the importance of protecting their credentials.
- Multi-Factor Authentication (MFA): MFA can enhance security by requiring users to provide multiple forms of verification.
Password Policy Questions to Consider
To help get you thinking, ask yourself the following questions about your current password policy:
- Does your complex password policy hinder everyday functionality for end users who need to enter their passwords often?
- Are your password requirements too long, too hard to remember or too difficult to change, possibly encouraging end users to write down passwords?
- Have you considered Multi-Factor Authentication to complement and strengthen your password policy?
- Outside of the policy itself, are you working to drive end-user awareness and anti-phishing practices to protect your passwords?
- Is your password policy strong enough to keep your information secure?
Is it time to look at your current password policy? Loffler can help. We have templates that will help you work through good, better and best password policies, and help you construct a new policy that will fit your organization’s needs.
Read Next: How to Prevent Phishing Emails from Harming Your Workplace
