Recently, independent provider of identity for enterprise Okta unveiled its fourth annual Businesses @ Work Report, which included the stunning finding that just 4.4 per cent of business passwords fit the default policy of more than eight characters and including a mix of digits and both upper and lower case letters.
According to the report, half (50.5 per cent) of passwords are too short, and 45 per cent are too weak by not having a combination of various characters and digits.
This is despite evidence that strong password policies can protect businesses from “brute force and password spraying attacks”.
“Passwords aren’t a silver bullet to protect your apps and data. They’re just one piece of what should be a much more sophisticated puzzle,” the report noted.
“However, the good news is that companies of any size can mitigate many password based attacks by enforcing longer credential length and MFA (multi-factor authentication).”
Okta said the standard company policy for creating passwords involves these five steps:
- A minimum length of eight characters
- At least one lowercase letter, one uppercase letter and a number
- A maximum of 10 password attempts before locking a user out of his/her account
- Recovery tokens expiration period is set at one hour
- Prohibit any password that includes the username
When followed correctly, this strategy significantly enhances the effectiveness of passwords. Indeed, in an analysis of passwords that were breached, just over half (50.5 per cent) used less than eight characters, while even more failed to incorporate a mixture of characters.
However, former hacker turned global cyber security consultant Kevin Mitnick previously told My Business that an even better approach is to move away from “passwords” and look to the creation of “passphrases”.
“A phrase like from Pink Floyd – ‘We don't need no education’, from the album The Wall … a passphrase of over 25 to 30 characters; it doesn't have to be with numbers and upper case and special symbols at all, it just could be a sentence,” he said.