Coffee with Kampas - Episode 19: Building a Strong Password Policy

Hi, this is John Kampas, Founder and CEO of EMPIST. According to the 2019 Verizon Data Breach Report, 81% of hacking-related breaches are linked to poor passwords, and 70% of users reuse passwords. That’s why on today’s Coffee with Kampas, I want to talk to you about what goes into a good password policy. I get asked about this a lot, and my opinion on it has changed a bit over the years. The first aspect of a password policy that most people ask about is how often should you be requiring users to change their passwords. The answer to this might actually surprise you.

Major 00:38 - manufacturers including Microsoft and Apple agree that there is very little benefit to forcing periodic password changes. Back in 2017, the National Institute of Standards and Technology, or NIST, stated that users should no longer be required to change passwords arbitrarily. Instead, they should only be asked to change a password when there is evidence of a compromise. You might be asking yourself, “how can that be?” Well, think about what you usually do when you’re asked to change a password. Maybe you change the last 9 to a 9, switch around some capitalization, or if you’re feeling crazy, even add an exclamation point. You’re not alone here.

When forced to change passwords 01:16 - frequently, most users tend to make predictable alterations rather than thinking of an entirely new password. This makes the new passwords easily guessable and vulnerable to compromise. The fact is, a simple password is not a very secure method to protecting your systems and information, but a complex password is difficult to remember, and might hinder everyday productivity. If your password policy is too complex and requires passwords to be changed frequently, passwords could become hard to remember, forcing users to write them down instead. This is a big security risk. So what can be done about this? Here are some things I recommend you do to build out a strong password policy.

First, 01:58 - review your current password policy. This will help you understand the whole picture and identify what needs to be changed or updated. Next, document the types of systems that require authentication. You should also consider deploying a single sign-on solution to reduce a number of passwords your users need to remember. I also recommend implementing failed login detection and protection methods on your network.

Lastly, conduct security awareness 02:24 - training to teach your users how to create secure passwords. Ideally your password policy is also combined with Multi-Factor Authentication, or MFA. MFA is important because it acts as another line of defense in addition to a password. Whereas a password is something you know, MFA is something you would have, such as a mobile phone. I don’t recommend ditching your policy entirely, but consider how frequently you require password changes.

Your goal should be to 02:51 - configure a policy that will mitigate the security risks while maintaining high employee productivity. If you need any help creating a good password policy, please don’t hesitate to contact me directly. Thank you. .