Users keep ignoring password complexity rules. How can you ensure their accounts stay secure?
-
Mandatory updates and complexity:Regularly enforce password updates and complexity requirements. This ensures users create stronger passwords periodically, significantly reducing the risk of breaches.### *Adopt two-factor authentication:Implementing 2FA adds an extra security layer. It protects accounts even if passwords are compromised, as users need a second verification step.
Users keep ignoring password complexity rules. How can you ensure their accounts stay secure?
-
Mandatory updates and complexity:Regularly enforce password updates and complexity requirements. This ensures users create stronger passwords periodically, significantly reducing the risk of breaches.### *Adopt two-factor authentication:Implementing 2FA adds an extra security layer. It protects accounts even if passwords are compromised, as users need a second verification step.
-
When users neglect complex passwords, your organization’s security is at risk. To enforce strong password habits, start by implementing mandatory updates and complexity rules that users must follow. Educate them continuously on the importance of secure passwords through regular training and awareness campaigns, showing how breaches occur due to weak passwords. Use password managers to help generate and store strong passwords easily. Finally, adopt two-factor authentication (2FA) to provide an extra layer of protection.
-
It often observed that users in most cases keep ignoring password cases. In order to avoid such scene's few things can be consider as like: 1. Regular awareness sessions for all users on password policy 2. Exploring other secure password less authentication methods like Authenticator Apps or Push Notifications over mobile device to approve or deny a login attempt 3.Password Managers: Encourage users to use password managers that can generate and store complex passwords securely, reducing the burden on them to remember. 4. Simplify the login process while maintaining security, such as using single sign-on (SSO) solutions.
-
NIST has recently dropped the two requirements that were advised for long time which this post is suggesting otherwise. As per NIST, passwords don't need to follow complexity rules nor time expiry but rather: * Use long pass phrases which are easier to remember and harder to crack * Don't enforce password update regularly as it is counter productiv and will make users follow unsafe methods of keeping passwords (especially when combined with the complexity aspect) Many compliance mandates might adopt these two updated concepts by NIST late, hence the practice will remain required until the compliance dictate otherwise Passwords by themselves are considered problematic and eliminating them should be a target!
-
One of the most effective strategies is to avoid password changes, as this often leads to users adopting weaker, easier-to-remember passwords and is no longer considered a best practice by NIST. Instead, prioritize creating long, complex passphrases. Password managers can help you securely store these complex passphrases without memorizing them. Take advantage of single sign-on (SSO) and federation services wherever possible. These tools reduce the number of passwords users must juggle, allowing them to focus on creating a few solid passphrases for the most critical accounts. Remember, security is a continuous journey.
-
COMPLEXITY in general is a pain; for everyone! Why are we targeting only end users here? 1. Education is KEY. Implications of password misuse/loss/theft can lead to termination and even legal action 2. Passwords should NOT be - Guessable, follow a particular pattern, written down on paper or saved in a device memo In fact the latest NIST guidelines want everyone to do away with passwords completely - 1. There is emphasis on biometrics 2. Passwords are slower to compute and require higher grade of encryption 3. MFA + Biometrics is a perfect replacement to text-based passwords 4. Typically, you are NOT allowed to re-use the last "X" number of passwords, which means the systems has to keep a record of threm
-
Do not allow them to use passwords which do not meet the company standards, use 2 factor at all times. Ensure password changes are done on a 12 month cycle.
-
To encourage strong password habits in my organization, I use a combination of policy enforcement, education, and technology. First, I enforce mandatory password complexity rules and periodic updates to ensure compliance. To foster understanding, I provide regular training sessions that explain why secure passwords are crucial and the risks associated with weak ones, using real-world examples to highlight potential threats. Additionally, I introduce technology aids like password managers to help users create and store strong passwords easily, and I implement two-factor authentication to add an extra layer of security, making sure our defenses stay robust even if passwords are compromised.
-
To encourage strong password habits in my organization, I advocate for a multifaceted approach. First, I implement policies mandating regular password updates and complexity requirements to ensure users create robust passwords. Education is key, so I organize training sessions that highlight the significance of secure passwords and the risks of weak ones. Additionally, I promote the use of password managers to simplify password management and advocate for two-factor authentication to enhance security. This combination fosters a culture of responsibility and awareness around password practices, ultimately strengthening our security posture.
-
Awareness is really important. First you enforce technically so their passwords are as secure as possible. Than you really need to make them aware: > Why it is important. > How it will protect them. > How they will benefit from it.
-
Forget everything, do your own homework first. Single password complexity policy is a thing of past. Not all accounts need similar complexity, thanks to risk based approach with authentication and access control mechanisms, look at Azure's conditional access and risky sign ins. Based on user's parameters, you should define policies and assign users based on those requirements. A few quick tips from modern day AD configurations: Enable self-service password reset config Enable secure MFA with configured policies around conditional access Enable risk-based sign in protection and security notifications. Privileged accounts need strictest approach and you hope they all have password managers in place.
Rate this article
More relevant reading
-
Operating SystemsWhat are the steps to detect and remove rootkits from an operating system?
-
Technological InnovationHow can you ensure your TI projects protect sensitive information?
-
AlgorithmsHow do you ensure that your algorithm is secure and resistant to attacks?
-
Quality AssuranceWhat is the best way to ensure your testing process is secure?