Why Requiring Complicated Passwords Is a Risky Security Practice
According to Imperva’s Forester Insider Threat report, 50 percent of firms questioned expect to raise security knowledge among their employees during the next 12 months. Many people are already doing so and have established good habits. According to the Ponemon Report on the Cost of Insider Threats in 2022, most insider incidents are caused by irresponsible personnel and unintentional behavior (57 percent ).
According to recent Ponemon research on the cost of global insider threats, employee or contractor incompetence was responsible for 3,807 attacks, or 56 percent, costing an average of $484,931 per incident. This could be due to a number of issues, including a failure to safeguard their equipment and a failure to follow the company’s security best practices. Any organization’s security strategy should include a strong password policy, but can this go too far? What is the most effective method to do this while remaining empathetic to our coworkers and promoting best practices?
Simplicity emerges from over-complication.
Passwords should be at least eight characters long and contain at least one of each of the following: a numeric character, an uppercase letter, a lowercase letter, and a special character, according to industry standards. Systems frequently require that any login password be changed every 90 days, which makes sense in theory, but requires a user to accept a password that is a nonsequential string of overcomplicated integers, letters, and syllabary is a different story.
If you do, you can count on one easy result: they’ll write it down. It may be on a PostIt note or in the back of their office notebook, in a phone note or on random scraps of paper, but they’ll be obliged to record it somehow if they don’t think they’ll remember it. Obviously, this is a security weakness waiting to happen, and most insider instances are the result of careless staff making basic mistakes like this.
In the Ponemon Report, 57% of respondents said insider incidents were caused by employee incompetence, while 51% said a malevolent outsider stole data by compromising insider credentials or accounts.We must educate our colleagues about the importance of data security, but we can assist and support them in making good decisions by conducting a simple exercise and promoting a simple system for remembering passwords rather than insisting that they recall complicated codes that they may submit on paper.
While a password manager is one option, if there are several points of access and multiple unique passwords to remember, the password manager will almost always require its own unique password.
One simple life lesson
Colleagues can be urged to come up with a memorable phrase or acronym to establish their own unique password that is easy to remember. A strong “technique” to encourage users to make passwords more distinctive is to replace a few letters with numbers, purposely misspell phrases, and/or use acronyms or abbreviations.
Some employees may want to replace the letter “a” with the number 4, or to eliminate all vowels entirely. Some people prefer to use an exclamation mark after each word, call a “v” a >, or use an asterisk instead of a “o.” Each of these substitution strategies functions as a distinct variable in the personal system of each individual. Every time their passwords change, multiple basic methods may be transferred from password to password, job to job, and each member of staff can be encouraged to have their own unique password code that they can realistically keep for life. Multiple variables to each personal system, at least four or five, should be the minimum required to ensure strong and easy-to-remember passwords.