Page 33 - Cyber Defense eMagazine April 2023
P. 33

It's  no  secret  that  mandating  a  unique  password  for  every  account  or  system  is  a  source  of  user
            frustration. Even in an enterprise environment in which access to many accounts is enabled via Active
            Directory, employees still find legacy password management approaches to be burdensome. They’re not
            wrong—in fact, not only are these outdated policies a significant hurdle to productivity, but they also have
            an adverse effect on corporate security.



            Security Shouldn’t Come at the Cost of Productivity


            Let us take a look at some of these legacy practices and why companies must abandon them in favor of
            a more modern approach to password security.




            Eliminate Mandatory Password Resets

            Enforcing periodic resets has been the traditional strategy for combating employees’ poor password
            practices, like reusing them across multiple accounts, selecting generic ones like “Password” or “1234,”
            or  sharing  credentials  with  colleagues.  Multiple  studies  have  documented  that  mandatory  password
            resets require significant IT resources and don’t enhance security, as people tend to choose simple
            passwords or make small changes to the root phrase when they know they will be required to change it
            again in the near future.



            Abandon Complexity Requirements

            Arbitrary  password  complexity  requirements—such  as  including  both  upper-  and  lower-case  letters,
            numbers, and special characters—are another legacy practice that inhibits productivity. Moreover, this
            approach  often  results  in  passwords  that  are  easy  for  hackers  to  guess  or  crack.  For  example,
            “P@ssword1!” would meet all complexity requirements but is obviously a weak credential guaranteed to
            exist on a list of exposed passwords available to hackers on the Dark Web.



            Get Password Security and Productivity in Lock-Step

            The legacy practices above are just two examples that the National Institute of Standards and Technology
            (NIST) now recommends against due to their negative impact on employee productivity and account
            security.

            So, what should companies be doing instead to secure passwords? A more modern approach is to screen
            all passwords against a list of commonly known and exposed credentials. After all, if a password is secure
            there’s  no  point  forcing  users  to  change  it  every  three  months  or  comply  with  various  complexity
            requirements. Many static lists of exposed credentials exist on the Dark Web and some companies even
            curate their own. However, given the staggering rate at which new breach data is exposed, the only way







                                                                                                              33
   28   29   30   31   32   33   34   35   36   37   38