Current corporate password policies only creation frustration for end users and do not ultimately create a more secure workplace.
Lets take a look at some of the common policies that actually do not increase security but sure add to the complexity.
The most common policy is requirement that you frequently change your password, usually between every month to every 90 days. Research has shown that people will just change the password slightly, for example by increasing a trailing digit. If a hacker ever finds out an earlier iteration of your password it will be quick guesswork to find out your current password. The policy is so bad that the United States Federal Trade Commission recommended against its use in 2016.
Another common policy is complexity. At first companies required that you used mixed case and then they added requirements to incorporate numbers and now they are asking users to incorporate symbols. Unfortunately it makes passwords harder to remember and more prone to being written down all the while still easily cracked. Changing an A to an @ or an I for a 1 is too predictable. In addition these passwords can be hard to enter correctly increasing the chances of help desk calls when a user is locked out. They are also hard to remember.
So what is a good password? A randomly generated or long phrase. For example, “MyCatEightMyDog!” The longer a password the harder it is for a hacker to brute guess a password. Also you should never reuse a password. Every website or service should have a unique password.
Phrases are easier to remember, but I still recommend a good secure password single sign on, like what Google and Apple offer with their browsers. Apple’s iCloud Keychain can generate and store passwords that will auto-populate. Now a good website or service will work with the single sign on services and allow easy password changes. Apple’s iCloud Keychain takes this a step further and even works with iOS apps to let you login anywhere on Apple’s platform. In addition, if required, you can view all your passwords to help you troubleshoot.
Corporations and websites can take simple steps like preventing brute force logins by limiting wrong attempts. They can reduce help desk calls by using or supporting fully featured single sign on solutions. They should not require password changes unless a breach is suspected. They can also reduce complexity as it’s not needed with the proper security protocols including those mentioned to limited brute force logins. Reduced complexity will help people remember their passwords better and allow use were single sign on can’t be supported.
Unfortunately for the moment, company policies do not achieve their goals and actually increase costs and headaches for everyone involved, except for crooks.