Ground Rule of Cyber Hygiene: Keep Your Password Policy Up to Date
Since the earliest incidents of computer break-ins, experts have maintained that making the internet a safe place is going to be an uphill battle. Their reasons, while largely technical, also encompass human complacency. Research shows that most organizations and users fail to follow the simple practices that make computing safe.
In 2024, organizations reported a record surge in security breaches. Data breaches amounted to a loss of $4.88 million worldwide, which is up 10% from 2023.
While most modern businesses have got it together and put some basic to advanced security controls in place, a sharp rise in social engineering techniques like phishing and baiting has security teams living in constant fear.
Data suggests that three-quarters (75%) of the reported identity attacks in 2023 were carried out through social manipulation, and today, 98% of the attacks involve social engineering.
Despite using the most up-to-date tools and the best security software in the market, cybersecurity professionals say that defenders are still one step behind. It’s because hackers have sussed out the secret that humans are the weakest link in the chain.
The hardest route to breaking into any environment is by circumventing the technological guardrails – and hackers seldom follow that path. Instead, they go through employees, who unknowingly, but routinely do things that make breaking in, and stealing data from the corporate vaults, supremely simple.
Poor password practices are one of their main vices. We have been told infinite times that a strong password is the baseline for cybersecurity. If the passwords we use to lock down our digital accounts is a unique jumble of characters and cases, and is hard to guess, then it is “strong”, and therefore harder to crack.
But even a hard-to-guess password is no guarantee for security if it is reused for all the handful of online accounts one has – and most certainly not, if it is put down on a pen-and-paper list and left in an unsafe place.
Enforcing password policies makes it twice more onerous. According to best practices, employees must change their passwords every few months to ensure limited lifespan and reduced vulnerability.
“The guy who sat next to me at IBM had four different password expiration policies. He changed every one of his passwords to be the same so that he would only have to remember one password,” remembered Tom Hollingsworth, former network engineer and events lead for Tech Field Day, while discussing the poor practices around password management at a Delegate Roundtable at the recent Security Field Day event.
“He was making himself more secure for all the wrong reasons and in all the wrong ways,” he said.
The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, revises its password guidelines periodically. In a recent update, NIST released a new set of requirements that aims to reduce the pains of password management busting some of the earlier, more exacting recommendations.
The new standards recommend users to focus on having longer passwords and passphrases (up to 64 characters) rather than being consumed with concocting the perfect mix of letters, numerals and punctuations. NIST suggests using a password manager to seamlessly generate long and strong passwords and store them safely for quick access.
Organizations are advised to monitor new passwords to ensure that they are not enlisted as easily compromised.
The new guidelines also ease requirements around periodic password changes, asking users to reset passwords only once a year unless a breach takes place. Prior NIST standards required users to change passwords more frequently leading users to reuse old, or modified versions of old passwords, which are considered extremely unsafe.
“These are the guidelines we have been considering as best practices for 5 plus years,” says Jennifer Minella, public speaker and security advisor. “I like that NIST has codified it. But most of these frameworks are standards that are normative for the federal government. For the rest of us, it’s take what you want that works for you and leave what you don’t, unless you’re audited against it.”
So is this new draft going to settle the chaos and confusion of password management at enterprises? Not so fast, say insiders. Companies continue to shirk adopting and improving password management practices despite the risks.
“We know that we need to get better. We just don’t see why this is urgent,” says Ziv Levy, IT practitioner.
Levy believes that the biggest catalyst for a company to take on strict measures is a cyber incident.
“That incident has to impact the bottom line that they start losing revenue,” weighs in Romeo Gardner, founder and CEO of Nehlos Cybersecurity, a Microsoft reseller and cybersecurity provider in the east coast. “If I have a breach or compromise but it does not hit my reputation, things keep happening and I can just keep doing business as usual,” he adds.
Another reason to upgrade password policies is insurance. Cyber insurance providers regularly update their terms of coverage mandating best practices and decent cyber hygiene. Losses caused due to poor or negligent security processes and pre-existing vulnerabilities are not covered under most policies.
Additionally, failing to invest in the right cybersecurity solutions can potentially disqualify an organization from filing claims.
Alternatively, poor security posture may lead to higher premiums, a practice insurance companies resort to in order to offset the risks.
“We are starting to see those kinds of things where people are trying to balance these decisions and companies are giving them an out by saying we’ll lower your premiums if you do this, or if you don’t want to do it, we will gladly charge you a little bit more money,” notes Hollingsworth.
Taking an extra minute to see if the current passwords need work, and reviewing how passwords are being handled at the staff level and adopting new policies as industry standards evolve and upgrade can keep thieves and hackers away for good. Thankfully, many of these processes can be made a lot more efficient and less cumbersome with automation, and ultimately easy to live with for the employees.
“I think it’s going to be better, but it’s going to take a significant amount of time until we get there,” says Levy.
Watch more roundtable discussions from Security Field Day at techfieldday.com.
