Why insisting on complicated passwords can be a dangerous security practice

According to Forester Insider Threat Report, commissioned by Imperva in 2021, 50% of companies surveyed expect to increase security awareness among their employees over the next 12 months. Many already do this and have strong practices in place. According to the 2022 Ponemon Cost of Insider Threat Report, negligent employees and accidental behavior are the root causes of most insider incidents (57%).

The recent ponemon A report covering the cost of global insider threats indicates that a total of 3,807 attacks, or 56%, were caused by the negligence of employees or contractors, costing an average of $484,931 per incident. This can be the result of a variety of factors, including not ensuring their devices are secure and not following company security best practices. A strong password policy is essential in any organization’s security policy, but can it go too far? What is the best way to do this that is friendly to our colleagues and promotes best practices?

Overcomplication Leads to Simplification

It is common business practice for passwords to have a minimum length of eight characters and to include at least one of each of the following: a numeric character, an uppercase letter, a lowercase letter, and a special character. Systems often insist that any login password expire after 90 days, and that all makes sense, but forcing a user to accept a password that is a non-sequential string of overly complicated integers, characters, and syllabaries is quite another matter.

If you do, it will result in a guaranteed simple result – they will write it. It might be on a PostIt note or it might be in the back of their office notebook, it might be in a note in their phone or on random scraps of paper, but they’re going to have to save it somehow. another if there’s any chance they could remember. Clearly, this is an impending security breach, and negligent employees who make simple mistakes like this are the root of most internal incidents.

Fifty-seven percent of respondents to the Ponemon report said insider incidents involved employee negligence and 51% say a malicious third party stole data by compromising insider credentials or accounts. Educating our colleagues on the importance of data security is key, but we can help them and help them make good choices with a simple exercise and promoting a simple system for remembering words. rather than insisting they remember complicated codes that they can submit on paper. .

Although a password manager is a solution, if there are multiple access points and multiple unique passwords to remember, this password manager invariably requires only one unique password.

A simple thing for life

Colleagues can be encouraged to create a memorable phrase or acronym to create their own unique password that will be easy to remember. Replacing a few letters with numbers, deliberately misspelling words, and/or using acronyms or abbreviations is an effective “trick” to encourage users to make passwords more unique.

Employees can be encouraged to try replacing the same letters with the same special characters or numbers – having their own personal system – or simply to avoid certain letters altogether, in a sentence that they can easily remember. Their password is a secret, after all, so no one will check their spelling.

Here are some examples:

  • “open sesame” could be “opN-55aM”
  • “My dog ​​Maggie” could be “mydO6ma66ie”
  • “I love a cheese sandwich” could be “IehC5991”
  • The phone number “+1 866 926 4678” could be “Tel+!8^6(2$4*8”
    (using the keyboard to generate characters using the Shift key).
  • “Should I compare you to a summer day? You are more beautiful and more temperate” could be “siCT2ASD?tAML&MT”

Some employees may want to replace the letter “a” with the number 4 or remove all vowels. Some may want to add an exclamation point after each word, call a “v” a>, or replace “o” with an asterisk. Each of these substitution methods acts as a unique variable for each person’s personal system. Multiple simple systems can be transported from password to password, task to task, whenever their passwords change, and each staff member can be encouraged to have their own password code unique password that he can realistically keep for life. Several variables for each personal system, at least four or five, should be the minimum requirement to ensure strong, easy-to-remember passwords.

It’s a simple solution, but data security is a matter of education and data security is everyone’s personal responsibility.

The post office Why insisting on complicated passwords can be a dangerous security practice appeared first on Blog.

*** This is a syndicated blog from the Security Bloggers Network of Blog written by Nik Hewitt. Read the original post at: https://www.imperva.com/blog/why-insisting-on-complicated-passwords-can-be-a-dangerous-security-practice/


Source link