Fifteen years ago, password policies started to look something like this:
-
At least ten characters.
-
At least one capital letter, one number, one punctuation mark.
-
Changed every four weeks in a frustrating password flow.
-
At which yet another hard-to-remember password was required.
If you were very secure, perhaps your password policy even looked like this:
-
Every four weeks, your password will be reset for you
-
And a randomly-generated string will be briefly displayed so you can copy it down
All of this made it nearly impossible for users and passwords to be friends.
Passwords were required for users to do the things they needed to do—yet the passwords themselves were not natural, easy-to-remember sequences. Worse, they changed often so that users had no hope of memorizing them.
If you’re still doing this for any reason other than outdated regulations, you’re well behind the times.
It’s 2020 and You Should Have MFA
A year ago we pointed out that all of this is out of date.
Multi-factor authentication (MFA) adds another identity factor to user logins, generally one that they don’t have to remember. Common examples include:
-
A one-time code sent to a phone by SMS
-
A little USB device like a YubiKey that enters such a code for the user
-
A little keychain fob that displays a one-time code
-
A required tap following a phone push response at login
-
A phone fingerprint scan at login
There are many others, but you get the idea—there are now other credentials that can be requested in addition to passwords, meaning that logins can be far, far easier.
This is because 81% of data breaches result from stolen or guessed credentials. With MFA in place, those credentials can’t be used without providing additional identification that users don’t have to remember.
That’s why at RSA this year, Microsoft said that 99.9% of all illicit logins they tracked resulted from accounts not protected by MFA.
Of course, MFA comes with is own problems. SMS codes are generally not as secure as other forms of MFA, for example, and small USB device or fobs are easily forgotten or lost.
But none of this changes the basic calculation.
The Time for Password Rules Has Passed
The point is that complex password rules and regimes were never as secure as any form of MFA. Why? Because:
-
Users couldn’t remember the passwords
-
Meaning they wrote the passwords down near their workstations
-
Or found themselves frequently calling support for help entering accounts
-
Which primed support for social engineering attacks
All of this suggests two key questions for security personnel.
-
If you don’t yet have MFA, why not? MFA is the best practice of today; password policies may have been a best practice once, but they’re now obsolete.
-
If you do have MFA, yet you’re still burdening your users with excessive password rules, why are you doing something that makes logins less secure?
Stop it. Stop it now. Unless you’re burdened by out-of-date regulations, in which case you should be lobbying regularly for those regulations to get with the times.
Selling MFA to Users
If you aren’t using MFA yet because your users hate the extra steps, offer the deal we’ve heard about in industry discussions several times now.
Offer users who agree to adopt MFA a far simpler password life. Something like this:
-
You can revert to a 10-character password of your choice, no required punctuation, numbers, or capitalization
-
And you’ll only be required to reset it once every year, at the start of the year
-
If you agree to perform an MFA step for all of your company logins
This deal provides increased account security versus passwords alone and often makes it easy to sell MFA to users who may not prefer to perform an extra step, but who would much rather perform a mindless extra step than try to comply with a rocket science password policy.
Making Logins Even Easier
But as we pointed out earlier, it’s mid-2020. Why are hard logins even a thing any longer? Could you sell your users something like this?
-
You can revert to a 10-character password of your choice, no required punctuation, numbers, or capitalization
-
And you’ll only be required to reset it once every year, at the start of the year
-
That’s it; you won’t even be required to perform an MFA step for all of your company logins—just enter your username and the password that you can now actually remember
Could you sell a policy like that to your users?
“Of course I could,” you’re thinking. “But it would be totally insecure.”
Except that it wouldn’t—because now there are MFA technologies that don’t require an extra step or any extra hardware.
Plurilock ADAPT™, for example, identifies users based on tiny micro-patterns that emerge as they enter their username and password. So it adds an additional biometric identity factor without requiring any additional action by the user at all.
Technologies like ADAPT provide all of the security benefits of MFA without requiring any additional user input, devices, or steps.
This means that from the user’s perspective, you can now just plain make passwords easier again, without any loss of security, putting an end to all those resets and support calls in ways that keep the security team and the liability team happy.
So if inertia is keeping your organization tied to complex, onerous password policies that drive users crazy and negatively impact security, it’s time to re-read the points above.
Then, get a move on—choose an MFA provider, make a password policy change, and relieve your users of the hard password burden. It’s 2020, after all. ■