Why Poor Password Hygiene Is Still Leading to Cyberattacks

80% of data breaches in 2019 were caused by password compromise.


The human-element of poor password hygiene has become even more problematic in recent years as social engineering and phishing attacks have become more sophisticated and specifically designed to harvest login credentials to business-critical applications such as email, databases and operating systems. Yet, large organizations spend tens of millions to hundreds of millions of dollars annually on cybersecurity tools like EDR and CASBs while password integrity remains for the most part at the bottom of the priority list.

We sat down with Darren James, head of internal IT at Specops Software, to discuss some of the common challenges with password hygiene and how organizations can overcome them to ensure passwords aren't at the center of their cybersecurity problems.


Why is implementing a robust password security policy easier than many organizational leaders believe?

There is a lingering misconception among many IT security leaders that implementing a robust password security program constitutes a lot of effort for only marginal reward. This sentiment exists in large part due to both poor and frustrating experiences that IT and security admins have had when deploying standard password security tools, such as Microsoft’s fine-grained password policy. These tools emphasize unnecessary complexity in password creation, such as mandating minimum length, character counts, special characters and capitalizations, etc. While these recommendations can sometimes be helpful, they are often riddled with unintended consequences. For example, I know of several password security solutions in which ‘Password1’ would meet the solution’s requirements for a safe password, when basic common sense tells us otherwise. The good news is that password security, like many other security domains, has evolved in recent years to be much more end user friendly, while successfully reducing the risk of a weak or compromised password being the entry point of a cyberattack. Advanced third-party password policy tools support passphrases, length-based password aging, breached password dictionaries and give great feedback to users when things go wrong, like telling a user why their password failed to meet the requirements. For the first time, IT leaders are truly empowered to enforce password compliance while integrating password security into their broader defense in-depth strategy.

Why existing password standards and guidance from organizations like NIST and CMMC provide strong guidance for businesses to follow

In 2016, the National Institute of Standards and Technology (NIST), along with some other global standards bodies like the Cybersecurity Maturity Model Certification (CMMC), updated their password security guidance. The essence of the new guidance was to remove password complexity, and instead increase password length and set passwords to never expire, and check that passwords have not been previously breached. This guidance was a win-win for both users and organizations and became widely adopted best practices because 1) users don’t have to write their passwords down because they were no longer complex, and 2) because passwords are longer, they are harder for a computer to crack, for a hacker to guess and probably haven’t been previously leaked.

However, we find organizations still use password expiry to hedge against attacks as it can take up to 200 days to discover a breach.

How should companies hold employees accountable for strong password hygiene without overburdening them?

The reality is that strong password security is so vital to an organization’s risk mitigation strategy that the burden of password creation and management shouldn’t fall to employees; rather it should fall on technology. In truth, technology can remove complexity, increase length and promote the use of passphrases to make passwords easier to remember without much involvement from end users. Technology can also enable multi factor authentication, which can serve as a secondary security layer when a user’s behavior seems abnormal (i.e., new device being used or unknown IP address). The best technological solution takes all of this functionality and pairs it with a clear end-user interface that doesn’t leave users in the dark when a password is rejected.

Why won’t alphanumeric passwords be replaced by fingerprinting or biometrics anytime soon?

Despite what Microsoft, Cisco and the media have to say, the reality is that fingerprinting and/or biometrics are not replacing legacy passwords any time soon. The truth is that this evolution will not happen overnight, in large part because today’s modern authentication systems are not designed for security, but for end user ease of use. To make authentication systems fingerprinting and biometric compatible would require a technological undertaking that simply isn’t high on the digital transformation checklist at the moment. Ironically, the same people proclaiming that the traditional password is dead are at the same time utilizing traditional passwords as failsafe’s for when fingerprinting or biometric fails. For example, you can use a 4-digit code for your cell phone if your smartphone is having issues recognizing your facial features. Secondly, implementing fingerprinting or biometrics across the board would be costly, as these types of authenticators are reliant on expensive hardware that is not platform agnostic. Until demand begins to bring down the cost, or disruptive innovation finds a more cost effective way to build authentication platforms that scale, passwords as we know them aren’t going anywhere.


###