AbleToTrain by Willing & Able

Why requiring complicated passwords is a risky security practice

According to the 2022 Ponemon Report on the Cost of Insider Threats, most insider occurrences are the result of careless personnel and unintentional behavior (57 percent).

According to a recent Ponemon research on the cost of global insider threats, 3,807 attacks, or 56%, were triggered by employee or contractor incompetence, costing an average of $484,931 per occurrence.

This could be due to a number of issues, including failing to safeguard their equipment and failing to follow the company’s security best practices. A robust password policy is essential for every organization’s security strategy, but can it be taken too far? What is the best approach to do this in a way that is respectful of our colleagues and supports best practices?


Overcomplicating results in simplicity

Passwords should be a minimum of eight characters long and contain at least one of the following: a numeric character, an uppercase letter, a lowercase letter, and a special character. Systems frequently require that any login password expire after 90 days, which makes good data sense. However, forcing a user to accept a password that is a nonsequential string of overcomplicated integers, letters, and syllables is a very different story.

If you do, there is just one certain, straightforward outcome: they will write it down. It may be on a Post-It note, at the back of their office notebook, in a phone note, or on random scraps of paper, but they’ll be obliged to record it somehow if they don’t think they’ll remember it. Obviously, this is a security weakness waiting to happen, and most insider events are caused by careless staff making basic mistakes like this.

According to the Ponemon Report, 57% of insider instances involved employee incompetence, while 51% indicated a malevolent outsider stole data via compromising insider credentials or accounts. Education of our colleagues on the need of data security is vital, but we can aid and support them in making good choices with a simple exercise and promotion of a simple system to remember passwords rather than insisting they recollect complicated codes they may provide on paper.

While a password management system is one answer, if there are several points of entry and multiple unique passwords to remember, the password manager will necessarily require its own single unique password.


One easy life trick

Colleagues can be urged to come up with a memorable phrase or an acronym to develop their own memorable password. A strong “technique” to encourage users to make passwords more distinctive is to replace a few letters with numbers, purposely misspell things, and/or use acronyms or abbreviations.

Employees can be encouraged to experiment with substituting the same letters with the same special symbols or numbers – creating their own personal system – or simply avoiding certain letters entirely within a sentence they can recall. After all, their password is a secret, therefore no one will be verifying their spelling.

Here are a couple such examples:

“open sesame” could be spelled “opN-55aM.”

My dog Maggie could be spelled “mydO6ma66ie.”

“I enjoy a cheese sandwich,” for example, could be “IehC5991.”

“+1 866 926 4678” could be spelled “Tel+!8(2$4*8.”

(Using the shift key on the keyboard to generate characters)

“Shall I liken thee to a summer day?” “Thou art more lovely and temperate,” for example, may be “siCT2ASD?tAML&MT.”

Some employees may want to replace the letter “a” with the number 4, or to eliminate all vowels entirely. Some people prefer to use an exclamation mark after each word, to call a “v” a >, or to replace “o” with an asterisk. Each of these substitution approaches functions as a distinct variable in each individual’s own system. Every time their passwords change, multiple basic methods may be transferred from password to password, job to job, and each member of staff can be encouraged to have their own unique password code that they can realistically keep for life. A minimum of four or five variables for each personal system should be required to ensure strong and easy-to-remember passwords.