There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.1–Bill Gates, February 2004
The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it’s easy to remember, it’s something nonrandom like “Susan.” And if it’s random, like “r7U2*Qnp,” then it’s not easy to remember.2
–Bruce Schneier, 2000
A 2023 study found that 64% of people surveyed are not confident they are managing their passwords well. Most discouraging in the new survey was the report that of those born after 1990 only 20% use unique and strong passwords.3 These stats bring also a feeling of futility: ‘so many data exposures – what does it matter?’ ‘there is no privacy anymore – whatever.’
I don’t share the opinion that we should throw in the towel, though who can’t sympathize with the sentiment? But Bryley sees time and again that, in fact, compromised passwords matter to an organization’s security. As an example of the severity of the problem, Google Cloud reported in October that 54% of breaches are resulting from common and well-known threat actor attack techniques, such as obtaining and using stolen credentials …4 These breaches can be costly, too: the average small business cyber-insurance claim ranges between $15,000 to $25,000 in recovery costs … the average recovery time for a business after an attack is 279 days.5
So as a manager, what can be done?
Since Bruce Schneier wrote about the random string recommendation, the National Institute of Standards and Technology (NIST) has agreed the advice is problematic and in 2022 offered this in its Digital Identity Guidelines:
Users should not be told to change passwords according to a schedule, but only when a password is known to have been compromised.*
Users tend to choose weaker memorized secrets [i.e. passwords and PINs] when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.
Password composition rules (that is, use one uppercase, one lower case, one number, etc.) should no longer be recommended.
Users tend to use predictable methods for satisfying these requirements when imposed … the frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret.
Passwords should be at least 8 characters in length. The longer the password, the longer it takes for a criminal/computer to guess.
Encourage users to make memorized secrets as lengthy as they want, using any characters they like. Pass-phrases are to be encouraged. Point users to a password strength checker like this at the University of Illinois. It showed me that this pretty-easy-to-remember example pass-phrase, blueberries38HIGHLIGHTER, had “excellent” strength.†
As in this example, Bryley recommends a 15-character minimum at this time.
According to a Finnish study, it is a good idea for managers to speak openly to employees about the reasons people commonly don’t comply with good password practices. People commonly use a “defense of necessity” [this is when, for example, we have the pressure of a deadline to meet, so we flout the rules] to justify choosing weak passwords, believing that strong passwords are too onerous … Show why this notion isn’t necessarily true and [demonstrate] practical ways to choose passwords that are both strong and usable, like the blueberries example, above.6
Employees need the support of their managers in their decision-making. Adrenaline fuels a lot of business accomplishment. Is this rewarded in your organization’s culture? And if so, at what cost? Can good cybersecurity practices be celebrated?
Knowledgewave, Bryley’s training partner, offers employee courses in, for instance, cybersecurity best practices. When employees complete courses they’re awarded badges. It’s just a little something that gives that feeling of accomplishment without robbing the employees of their sense of self-motivation. If you give too much, people can end up competing and losing sight of the reason behind the reward.
In a SANS Institute look at rewarding employees for cybersecurity practices, Cindy Daily of Geisinger Health Systems says, rewarding is tricky. Our first reaction is to reward people as much as possible, but be sure to think things through. You want to be sure you are promoting the right behaviors and you are not setting costly precedents.7
Twenty years ago today
Do you have fewer passwords then back when Bill Gates promised a passwordless future? I know I don’t. But I do use a software password manager to generate long and random passwords. According to security.org, a third of Americans are using password managers.8
Can you take much of the burden of strong password practices off your employees? A password manager can help – Bryley has a solution with admin controls that lets you monitor employees’ password behaviors, so your organization is kept more secure.
Single Sign-On minimizes the number of passwords that employees have to create or enter, by giving them one portal to access all the software tools they need.