Your password policy is probably broken, and you may not even know it.
How’s that possible? Consider the following scenario.
You drafted your password policy a few years ago because somebody told you it was an industry best practice. Next, you sent it out to everyone in the company and considered the project complete. After all, you have plenty of other projects to work through.
Before you know it, the policy is several years old. Yet, it’s never been updated. You may have forgotten to check with other stakeholders to see if it still makes sense. What that means is that your password policy is out of date and likely making no real contribution to your cybersecurity needs.
How Do You Know If Your Password Policy Is Keeping You Secure?
By asking that question, you’ve already made the first critical step. You’re acknowledging that your password policy might not be good enough. What’s the next step? Read through our list of signs you have a flawed password policy.
Signs You Have a Broken Password Policy
As you go through these signs, give yourself 1 point for each sign that’s present in your organization. We’ll go through how to interpret your score at the end.
1. Your password policy is written for an IT audience
In most cases, this mistake is a failure of imagination and empathy. You ask somebody on the IT security team to create the policy. As a result, it’s loaded with jargon and technical details. It all makes sense to IT security experts, but what happens when you push the policy out to the business? Nobody understands it, so they all “file the IT email for later.” Before you know it, “later” becomes “never,” and your password policy is ignored.
2. Your password policy is disconnected from risk considerations
When your password policy speaks in terms of DO and DO NOT rules, you’re probably not considering risk. Without a risk perspective, you’ll give users too many rules and requirements to keep straight. You’re likely to treat all applications and users the same as well. As a result, your password enforcement and monitoring resources will be stretched too thin.
3. Your password policy isn’t monitored regularly
The following scenario might sound familiar.
You published the password policy to the company intranet two years ago. You sent out some mass emails to promote it. Then, you just moved on to work on other projects.
That’s a sign that you’ve failed to do any real monitoring. Without monitoring, you have no idea if employees and other stakeholders understand the password policy. Even worse, your IT security risk assessments lack critical data on password behavior. This sign of failure is closely related to the next item on the list.
4. You have no software tools to support your password policy
This can show up in your organization in two ways.
First, you can do monitoring and enforcement activities after the fact. You imagine that you can dump this password-monitoring task in the lap of one of your analysts. That’s not a good idea though. It’s going to be bad for morale, as nobody wants to go through all your systems one by one to pull reports. Then, you have to reconcile that data with other sources, such as the HR employee list. That’s what password monitoring looks like without a supporting password policy.
Second, you can integrate your password policy into your systems and hope that users pay attention. That’s not going to work. Most employees want to reuse the same password repeatedly. They view password reuse disease as a convenience rather than a problem for the most part. You need to monitor whether employees are creating effective passwords.
5. Your password policy doesn’t have an enterprise-wide application
You might be a bit confused by this sign of password policy failure, so let’s unpack it. There’s nothing wrong with starting your password policy with a focus on high-risk applications. Instead, the problem lies in never evolving past that point. For example, do you have a process to track cloud application usage and security? That’s a blind spot for many organizations.
This sign of failure becomes a more significant issue in large-scale organizations. For example, if you have a large number of office locations across the country or internationally, you’ll have a greater difficulty. How? You’ll have more applications, and those applications ( especially cloud services) may not be disclosed to IT.
Note that there’s one situation where this sign isn’t a problem. If you implemented a password policy less than 12 months ago, you might not have support to roll it out across the whole company. If you have a partial implementation, we recommend that IT report this incomplete status (i.e., “In Q1, the password policy covered 30% of systems.”). Without that tracking, you won’t be able to understand your IT risk accurately.
6. Your password policy doesn’t support multifactor authentication
Think about your most sensitive IT systems for a moment.
Suppose a hacker or angry employee obtained access to that system. That individual could steal data, approve fraudulent expenses, and embarrass the entire department. This whole problem could be prevented at the front end. This could be prevented to a significant degree if you had multifactor authentication in place.
How to Read Your Password Policy Score
If had more than three of the signs in the above list, you’re in serious trouble. Your password policy and supporting processes just aren’t doing much to create results. It would be best if you took action to close those vulnerabilities.
Suppose you have less than three signs of password policy problems. You may be able to defer action this year while you work on other projects. However, keep in mind that security threats are steadily getting more difficult over time.
How to Achieve an Effective Password Management Process
Follow these three tips to improve your password controls. For the best results, use these methods in concert.
- Implement Password Management: Use Password Management and your password policy will be enforced
consistently across your company. - Rewrite your password policy for business users: Eliminate technical jargon from your policy. Circulate a draft of the new policy to 3-5 end users outside of IT to confirm it’s clear.
Establish monthly monitoring: Create 1-3 key performance indicators relating to passwords to
monitor. For example, you might track the percentage of systems and applications covered by the password policy on a monthly basis.