WP Why Insisting on Complicated Passwords can be a Dangerous Security Practice | Imperva

Why Insisting on Complicated Passwords can be a Dangerous Security Practice

Why Insisting on Complicated Passwords can be a Dangerous Security Practice

According to the Forester Insider Threat report, commissioned by Imperva in 2021, 50% of the companies surveyed plan to increase security awareness among their employees over the next 12 months. Many are already doing so and have solid practices in place. According to the 2022 Ponemon Report on the cost of insider threats, negligent employees and accidental behavior are the root causes of most insider incidents (57%).

The recent Ponemon report covering the cost of global insider threats states that a total of 3,807 attacks, or 56%, were caused by employee or contractor negligence, costing on average $484,931 per incident. This could be the result of a variety of factors, including not ensuring their devices are secured and not following the company’s security best practices. A strong password policy is critical in any organization’s security policy, but can this go too far? What’s the best way to do this that is sympathetic to our colleagues and promotes best practices?

Overcomplication leads to simplification

It’s common business practice for passwords to be a minimum length of eight characters, and to include at least one of each of the following: numeric character, an uppercase letter, a lowercase letter, and a special character. Systems often insist that any login password expires after 90 days, and this all makes good data sense, but forcing a user to accept a password that is a nonsequential string of overcomplicated integers, characters, and syllabary is another matter entirely.

If you do it’ll result in one guaranteed simple outcome – they’ll write it down. It may be on a PostIt note or it may be at the back of their office notebook, it could be in a note in their phone or on random scraps of paper, but they’ll be forced to record it somehow if there’s no chance they could remember it. Obviously, this is a security hole waiting to happen, and negligent employees making simple mistakes like this are the root cause of most insider incidents.

Fifty-seven percent of respondents to the Ponemon Report stated that insider incidents involved employee negligence and 51% say a malicious outsider stole data by compromising insider credentials or accounts. Education of our colleagues into the importance of data security is critical, but we can help them and support them in making good choices with a simple exercise and promotion of an easy system to remember passwords rather than insisting they recall complicated codes they may submit to paper.

While a password management system is one solution, if there are multiple points of access and multiple unique passwords to remember, that password manager invariably requires a single unique password of its own.

One simple trick for life

Colleagues can be encouraged to create a memorable phrase or an acronym to build a unique password of their own that will be easy to recall. Replacing a few letters with numbers, purposefully misspelling words and/or using acronyms or abbreviations are a strong “trick” to encourage users to make passwords more unique.

Employees can be encouraged to try replacing the same letters with the same special characters or numbers – having their own personal system – or just avoiding certain letters altogether, within a phrase they can easily remember. Their password is a secret, after all, so no one is going to be checking their spelling.

Here are some examples:

  • “open sesame” could be “opN-55aM”
  • “My dog Maggie” could be “mydO6ma66ie”
  • “I love a cheese sandwich” could be “IehC5991”
  • The phone number “+1 866 926 4678” could be “Tel+!8^6(2$4*8”
    (using the keyboard to generate characters using the shift key).
  • “Shall I compare thee to a summer’s day? Thou art more lovely and more temperate” could be “siCT2ASD?tAML&MT”

Some employees might want to replace the letter “a” with the number 4, or remove all vowels. Some may want to add an exclamation mark after each word, call a “v” a >, or replace “o” with an asterisk. Each of these substitution methods acts as a unique variable to each person’s personal system. Multiple simple systems can be carried from password to password, job to job, every time their passwords change, and each member of staff can be encouraged to have their own unique password code they can realistically keep for life. Multiple variables to each personal system, at least four or five, should be the minimum requirement to ensure strong and easy-to-remember passwords.

It’s a simple solution, but data security is about education, and data security is everyone’s personal responsibility.