Maksim Kabakou - Fotolia

Security Think Tank: A good password policy alone is not enough

In light of the fact that complex passwords are not as strong as most people think and that most password strategies inevitably lead to people following them blindly, what actually makes a good password and when is a password alone not enough?

It is estimated that 81% of cyber breaches are due to weak passwords, potentially putting businesses at risk of losing millions. Password security depends on making cyber security a wider societal issue because every person who has a work or private internet account has a password and most of our personal and corporate data is now hidden behind them.

This renders a company’s cyber security dependent on its rank-and-file employees because every staff member with a password to access corporate systems or data is potentially a weak link in the organisation’s cyber security chain.

Yet passwords are never treated with the same diligence as traditional keys. You would never see people make 12 copies of their house key and leave them on trains, yet people constantly write down passwords on different bits of paper and throw them away.

Passwords are routinely lost, not updated or made so complex that their owners can’t remember them. Many companies are also under the illusion that a good password policy alone is enough to protect their data and systems against intruders.

So what is the perfect password, and the perfect strategy for deploying them, and when is a password simply not enough? Below are four examples.

The secret to a ‘strong’ password

The best passwords are not the longest or most complicated ones. The best passwords are those that are easy to remember, but personal to the user, so that users don’t have to write them down and are unlikely to forget them. For example, choose a “private joke” or phrase and remove the spaces or add an extra character to make it harder to guess.

Simplifying password management

Algorithm (formula-based) passwords have many advantages over traditional passwords. They are easy to personalise and allow employees to log in with special characters, numbers or capitals without remembering all their passwords.

Crucially, they ensure different passwords for different accounts, so a hacker cannot use the same key to unlock multiple devices or accounts. This allows organisations to simplify the process for employees.

Giving organisations control

Allowing employees to manage their own passwords can encourage a “tick-box” culture where employees do the bare minimum to comply or make lazy errors, such as using the same password for multiple systems. Password vaults centralise the entire process of creating and updating passwords, enabling organisations to take control of cyber security.

The vaults also record which employees have the strongest and most recent passwords as well as any failed login attempts, giving companies a 24-hour central overview of the state of their password security. This can be used to incentivise best practice by rewarding employees with excellent records of password management and identifying poor performers.

When a password is not enough

For business-critical or sensitive data and systems, a password alone is never sufficient. Even some personal information might seem innocuous on its own, but could be sensitive if aggregated with other data. Your personal email contains the key to your search history, but also your friends and work contacts – information that could be enough to guess your other passwords.

Organisations must instead use two-factor authentication to increase the number of hoops a potential attacker has to jump through. They should also use so-called air bridge or gapping mechanisms to ensure different devices and networks are isolated and have different “ratings” of security depending on the sensitivity of the data or system.

This ensures that employees must go through multi-factor authentication to connect to a particular system and, if that system is compromised, there is no “spill over” to other corporate networks or devices.

Read more on IT risk management