Top 3 Lies You Are Told About Password Policies

October is considered spooky season not only because of the witches and goblins running around… but because it’s National Cybersecurity Awareness Month (NCSAM) and it’s time to shine a light on those scary security policies that may be doing more harm than good. There is no better place for us to start than to look at password policies that may be hindering productivity and increasing your organization's likelihood of facing a security breach.
Password policies are crucial for security measures within an organization, but they also have a direct effect on help desk ticket creation. Did you know that an estimated 40% of all help desk calls are related to password-related issues? So, when an employee submits a ticket for one password reset, this quickly turns into a big ordeal that requires numerous backend resets.

Instead of wasting all of this time and money, learn how you can prevent these numerous help desk calls by learning the top 3 lies you are told about password policies and how to

Lie number #1: You need a password…

Before you close this window and write me off as a crazy person… wait and hear me out! A good foundation of every organization’s password policy begins with enabling Multi-Factor Authentication (MFA) - Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone - as a default policy for ALL users within a tenant. According to Microsoft, enabling MFA reduces your risk of attack by 99.99%. If your organization utilizes a Microsoft tenant and some form of MFA, you may not need a password at all.

The problem with passwords is that people want to create one that they can remember, and in doing so, they make a very vulnerable password. Hackers are constantly using unique tools and techniques to try and attain your password so they can log into your account and commit malicious acts. The best way to stop a hacker dead in their tracks is to cut out passwords altogether.

If you still don’t believe me… look at Microsoft’s official stance on the future of passwords.

Lie number #2: Passwords need to be reset every 90 days

Did you know that making a mandatory reset policy could open your organization to cyber-attacks? Requiring a user to change their password every 30, 60, or 90 days is not a good policy to force on an organization. Constantly changing your password could mean that future passwords could be composed of past sequencing of similar words, numbers, and special characters.

Don’t get me wrong… If you think someone may have access to your password it’s time to change your password immediately. However, forcing a password expiration policy on an entire organization may cause headaches for internal employees while simultaneously making a hacker’s job easier.

Lie number #3: Requiring Long Passwords

Forcing a 16-character length password onto an organization is the quickest way to start an angry mob complete with pitchforks and torches. Believe me, forcing a long lengthy password leads to anger, insecure practices, and passwords like “Passwordpassword1234.” When an organization forces long lengthy passwords, they are coincidentally making their organization less secure. A longer password often leads to simple long passwords that are stored in word documents, emails, or written down on paper.

Stick to an 8-character length password, or better yet, get rid of passwords altogether…

Don't Fall for These Lies

In reality, overlooking the importance of password policies happens in all sizes of organizations. If you think your current IT team or Managed service provider may be dragging its feet in updating your password policies (or enforcing MFA) maybe it’s time to switch to a reputable IT Team like Summit Technology.

Talk to us about how we can find you a solution that is Simple. Convenient. Secure.

If you still have questions about password policies or cybersecurity solutions, you can contact us at learnmore@greatservice.com or fill out our contact us form.