Skip to main content

Why password policies are a waste of time and money for companies

(Image credit: Image Credit: Christiaan Colen / Flickr)

Every year, billions of personal and corporate accounts are hacked. And every year, organizations respond in the same way: enforcing stricter password policies. The result? A false sense of accomplishment and a short-lived boost to security, followed by a return to the usual: insecure passwords and, of course, more compromised accounts.

Password policies are a common band-aid approach that do not solve the security woes of organizations when, in fact, a more fundamental solution is needed to prevent corporate account breaches. 

The recurring theme of password breaches

Despite increasingly strict password policies, there’s no drop in the frequency or scale of account-related security incidents.

According to RiskBased Security, a total of 7.9 billion user records were hacked in 5,183 breaches in the first nine month of 2019 alone. This is an alarming figure, particularly when considering that it includes firms such as Capital One (100 million breached records) and Quest Diagnostics (11.9 million records), both of which handle sensitive financial and health-related information. Compared to the same period in 2018 report, this represents a 33.3 percent increase in the total number of breaches and a 112 percent spike in the total number of records exposed. The data becomes even more concerning when considering that around 70 percent of data breaches are initiated through stolen credentials, according to Verizon’s 2019 Data Breach Report.

The inefficiency of password policies

By banking on password policies, organizations put the burden of securing accounts on the users. The costs, however, are incurred not only by the users but by their organizations as well. Here are some of the key pain points of password policies:

The rotating forgotten password

When an organization imposes a password policy requiring periodically changed passwords, many employees do not correctly comply (if at all) and become locked out of their accounts, leading to more helpdesk resource drainage and increased IT support costs 

A recent survey by Carnegie Mellon and Indiana universities found that only 33% of people change their passwords after a service provider is breached, and only 13% do so within the first three months of a breach. Unfortunately, most of those who do change their password use a weak replacement for their old one.

Complexity makes it easier to fail

Meanwhile, increasing requirements for password complexity (longer passwords, diverse characters, etc.) puts a cognitive strain on users to come up with passwords they often forge, hence incurring even more helpdesk costs. The alternative? Writing passwords down on a piece of paper, or worse, storing them in a computer file, which undermines the very idea of secure passwords in the first place.

In this regard, the findings of the Ponemon Institute’s recent 2020 State of Password survey are damning: “Forty-nine percent of IT security respondents and 51 percent of Individuals share passwords with colleagues to access business accounts. Fifty-nine percent of IT security respondents report that their organization relies on human memory to manage passwords, while 42% say sticky notes are used.”

Despite even the best efforts, password complexity is a moving target. As computers grow stronger, brute-force password hacking methods become more efficient, and organizations are forced to make their passwords even more complex to stay ahead of the attackers. But the human brain, the hardware users have at their disposal to memorize passwords, isn’t growing in complexity and computational power.

How many passwords can you memorize?

Password policies require users to have a unique password for each account and avoid reusing passwords across different accounts. Given that most people have dozens of corporate and personal accounts, how likely is it that they will abide by this rule? Very unlikely. In fact, most users either reuse the same passwords across their accounts or use very simple and similar passwords for memory’s sake.

The two-factor authentication nightmare

Another traditional go-to password policy is two-factor authentication (2FA) enforcement on employee accounts. This usually adds friction and frustration to the user experience, which often leads to employees ignoring it or disabling it for the sake of convenience. In addition, 2FA policies require physical keys that often get lost and other operational headaches that increase IT support needs and helpdesk costs.

The endless cycle of education

Password policies also incur education costs, including teaching staff members about phishing and social engineering protection and keeping them up to date with the latest security trends and threats. Take for example the remote-access security measures employees should heed now in the face of cyber criminals leveraging the pandemic to trick their victims into revealing personal and business account credentials, and thereby sensitive data.  

Keeping up with password policies becomes so hard, in fact, that even security teams often neglect them. According to the Ponemon Institute, IT security professionals are not immune to password reuse and sharing nor from accessing workplace apps from personal mobile devices without 2FA.

The hated stash of secrets

Finally, even with the most stringent password policy, security woes won’t go away. Any large store of passwords, if in the wrong hands, can wreak havoc. Organizations must go to great lengths to protect password databases against attackers and meet regulatory demands.

The protection of password databases incurs additional overhead costs of network security, access management, and making sure passwords are hashed and salted in storage to prevent any possible data breach from compromising employee accounts.

Organizations must also make sure their storage and handling of account passwords are in conformance with a constantly changing regulation, which also happens to vary across different jurisdictions. And falling afoul of those regulations can be very costly, to say the least.

The best policy is no policy

Decades of password-based security has proven that users choose convenience over security—unless they have both. And the struggle to find the right password policy that finds the right balance between the two conflicting goals is increasingly proving to be a lost cause.

So, what is the best password policy? Odd as it may sound, it’s one that includes no passwords. Passwordless authentication has proven to be the answer to all the woes iterated above. By replacing the old secret-memorizing security scheme with cutting edge technology that is both super secure and easy to use, passwordless authentication redefines the ancient trade off between security and usability and frees employees to do their work, wherever they are.

Shimrit Tzur-David, CTO and Co-Founder, Secret Double Octopus (opens in new tab)

Shimrit holds an MSc and PhD from the Hebrew University in Computer Science. Her research areas primarily focused on PKI, cryptography, anomaly detection, web attacks, DDoS and intrusion detection and prevention systems. During her PhD, Shimrit was a consultant for Check Point and Marvell Semiconductor, and designed an intrusion detection system product there.