Complete I.T. Blog

What Does a Good Password Policy Look Like?

by | Feb 22, 2019 | Cyber Security


Hello passwords my old friend

Now is the time to rethink our approach to password management, maybe even passwords altogether.

To start with, let’s go back to the basics discussing why we began to enforce password changes in the first place. The not so long story short, changing passwords meant that if our existing string of 8 characters had unknowingly been compromised, replacing it with a new one closed the open door to potential attackers. But with UK businesses subjected to an average of 52,596 attacks each in the run up to June of last year, password management advice continues to change. The problem though is that password management advice does not consider the user experience… Another 12-character password? Really?


As we all become more and more dependent on a plethora of e-commerce and SaaS sites, it is not uncommon for some of us to have over 30+ passwords at any given point in time. If you think about those passwords for a second, at least one of them probably contains the year you were born, one contains the name of a family member or pet, and more than a few contain the trusty exclamation mark. Not only that, it is likely that you use just one of those passwords across a range of sites. This may seem like an easy way to keep track of your small directory of passwords, but in reality, you are making it far too easy for potential hackers. Your social media accounts probably make it relatively easy for anyone to find out the names of your family members, most definitely your pet’s name and an idea of what you get up to in your spare time. Imagine what a hacker could find out while armed with a host of automated brute force programmes.

This all begs the question, does being forced to change your passwords as regularly as we are while using a range of numbers, symbols, letters, tears and so on really make us more secure? In all honesty, the answer is no not really. When forced to change our password, the chances are that the new one almost mirrors the old one, or the ‘new’ one is really an old password you used for another site. This creates a weakness that can easily be exploited by potential attackers. On top of this, if we are forced to create passwords that are as cryptic as possible, the chances are that if you are anything like me you will need to store it somewhere, creating yet another vulnerability.

With all of this in mind, it feels like we are on an ever-turning password management wheel. The more we rely on e-commerce and SaaS sites like Amazon and Netflix, the more passwords we need. The more passwords we need, the more times we have to change them. The more times we have to change them, the more vulnerabilities we create, bringing us back to the original dilemma – how do we secure our accounts effectively.

The Nation Cyber Security Centre (NCSC) have now recommended that organisations should not force regular password changes, explaining that this should reduce the vulnerabilities discussed above. Will this help to reduce the vulnerabilities though? It is a tough question. Think back to the ever-turning password management wheel. Are we going back on ourselves by not enforcing regular password changes? With a host of conflicting information and evidence, it can be very hard to know what is best to recommend to your teams. It is inevitable that each of us will have a different opinion on what the best approach to take is. For us to be able to provide some solid recommendations, let us all agree that for the time being passwords are here to stay and different businesses will have different policies with regards to their management.

Passwords are the first line of defence, not the only defence

Now that we are all in agreement on the state of password management, let’s discuss passwords as the first line of defence and not the only line of defence. Think of passwords like our front door key. Yes, they let you into your house, but most of you reading this don’t secure your home with just the one lock. The chances are you will have a security alarm, extra locks and bolts or maybe even security cameras, so why would you use just a password to protect the devices that probably contain more sensitive information on than found in your home?

Unfortunately for us, cybercriminals are becoming increasingly more intelligent. With their host of automated brute force applications, it would be somewhat foolish to attempt to secure your devices and online accounts with just a password. One factor authentication has definitely had its day. With so much conflicting information on password makeup, length and expiry date, now is the time to really promote the use of two-factor authentication (2FA) in adding an extra layer of protection and securing our devices and accounts. Luckily for us, 2FA is something that is becoming increasingly more common across the internet and consumer websites. It takes just a few clicks for the end user to add two-factor authentication through account settings.


The Bryce Jordan Center stage being built and lit prior to the Penn State Dance Marathon.

Types of two-factor authentication

So 2FA. As we have said, most websites now offer the use of 2FA to their users – the question is, which variations are most commonly employed?

SMS two-factor authentication

SMS authentication is one of the most commonly deployed type of 2FA. When you log in to a site that uses 2FA, once you have inputted your username and password you will then receive a text on your phone with a code that typically ranges from 4-6 digits. The site will then ask the user to enter this code for them to proceed. If you are looking at 2FA to bring another layer of protection to your business and customers, SMS 2FA is most probably the one for you. Since nearly everyone owns a phone that is capable of SMS messaging, there is no need for your staff or customers to install a third-party application in order to employ another line of defence other than passwords.

If only it could be that easy. There are some important things you need to think about should you opt for SMS 2FA. With the rise in awareness of data privacy and the GDPR, a growing number of people may not feel comfortable giving their phone number to a website. As well as this what would your customers do if they needed to log in to your site or platform, and couldn’t do so due to a lack of phone signal?

Authenticator Applications

Still relying on the use of a mobile phone, although also available as browser plug-ins, this method provides 2FA through smartphone applications. One of the most common mobile applications used for 2FA is Google Authenticator. Yes, it is designed to secure your Google account and services, but it can also generate codes for third-party applications like password managers or file hosting services. In order to properly deploy this variation of 2FA, if a website or application you are using offers this level of protection, they will make you aware of their secret key. Once you have received this key, you will be able to enter it to the application like Google Authenticator. A huge advantage of this variation of 2FA is that unlike SMS 2FA, you can use it even when you are not connected to any network.

However there are of course some drawbacks. If you lose your phone and you didn’t make a copy of your secret key (after all if you have taken any advice I have tried to give, why would you write it down?) then you could well lose access to your account(s). Not forgetting the user experience too – if you need to unlock your phone and open an app to get a code each time, would you persist on using it? There are alternatives however. Our two-factor authentication partners Duo have created a key ring which provides an authentication code each time you need one – just plug it into your machine and let the key authenticate for you.

So where does that leave us?

Unfortunately for us, passwords are here to stay. Although we have seen the adoption of facial and fingertip recognition within our smartphones, we are yet to see this develop into a mainstream form of account security, especially within e-commerce sites. Whether we choose to rely on solely a first line defence or begin to adopt second defence lines such as 2FA, both have their flaws. For the time being, adopting second line defences seems to be the best way to secure your accounts. See which Complete I.T. office can help you to better secure your systems.