Why Corporate Password Policies Don’t Work

It’s no secret that passwords pose a significant problem for organisations. The oldest and most common form of digital authentication is also the least secure, with credentials involved in over half of all successful cyberattacks in 2021, according to Verizon’s 2021 Data Breach Investigation Report.

Many of the most common practices by employees when managing passwords open organisations up to significant cyber risk. If employees create weak, easy-to-remember passwords for their apps, corporate data can easily fall victim to brute force attacks. If employees reuse passwords, then one breach can allow attackers unauthorised access to any other app using the same credentials. As a result, businesses often mandate password policies, requiring employees to use unique, complex passwords for each of their accounts.

However, password policies have inherent problems which prevent them from achieving what they set out to do, and organisations that depend on them remain highly vulnerable to cyberattacks. Here are some of the key reasons why password policies fail to secure businesses from data breaches and more importantly, what you can do to address this.

Why password policies fail to protect organisations

Unrealistic demands on users

Password policies fundamentally fail to address a major issue with passwords – the sheer volume of them. The reason employees resort to poor password practices is not due to a lack of cybersecurity knowledge, but rather because the number of cloud apps in use means that creating and memorising unique, complex passwords for each of them is simply impossible. As a result, reusing passwords, simplifying them or writing them down become common practice. A My1Login study found that even giving employees cybersecurity training had little effect on their behaviour. While 91% of untrained users reused their passwords, this figure remained high at 85% even after cybersecurity training. Over half of users also wrote down their passwords, with no difference at all between the trained and untrained groups.

Inability to Enforce

On third-party applications, the business has no effective way of actually enforcing or monitoring compliance with its password policy, since the apps exist outside the control of the organisation. Without the ability to centrally enforce policies across all applications in use, IT departments are powerless, and the responsibility and burden lies with end users. The end result is that people with little interest in, or knowledge of, cybersecurity are effectively tasked with implementing cybersecurity initiatives.

Even adherence to policy doesn’t ensure a strong password

Even if password policies are adhered to by employees, or enforced on in-house applications, the password itself may actually not be strong enough by today’s standards to avoid being compromised. A common requirement for passwords is to be of a certain length, contain a mixture of upper and lower case letters and numbers or symbols – criteria which gave rise to “Password1” becoming one of the most common, and insecure passwords.

The UK’s National Cyber Security Centre (NCSC) recommends against the use of complexity requirements altogether, stating that the practice “is a poor defence against guessing attacks”, since “it places an extra burden on users, many of whom will use predictable patterns.” Even with extremely strict requirements including exclusion filters and the requirement of special characters, employees still frequently resort to common combinations which are easily exploited by cybercriminals and feature in commonly-used tools and password dictionaries, making them easy to brute force.

Password policies themselves can be insecure

As well as the inherent problems with password policies, the advice given in them can often be inaccurate and out of date. Many policies require passwords to be regularly changed, for example, a practice which makes the already-difficult task of memorising credentials next to impossible, and according to the NCSC “harms rather than improves security”. Rules that cause end user friction also result in employees failing to adopt the policies.

Password policies fail to solve the wider problems of user authentication

Even in the unlikely event that a policy is strong, up-to-date, and adhered to by all members of staff, password policies ultimately fail to solve the inherent weaknesses of credentials as an authentication mechanism. The policy will not prevent former employees from retaining access to corporate passwords for example, or provide any method to share credentials securely between users.

In addition, password policies offer no protection at all against the most common method of attack in successful data breaches – phishing. In 2021, over 75% of organisations received a phishing attack, and over 85% of attacks attempt to obtain user credentials. Password strength is irrelevant to these attacks - the weakest and strongest passwords are equally vulnerable to being phished, so long as employees are aware of the password and responsible for entering it into login forms themselves.

How Single Sign-On (SSO) solves the problem of corporate password policies

More secure than dependency on people and training

The NCSC is clear in its advice that “passwords have a limited ability to protect your data and systems” and that SSO is an excellent solution for organisations which “massively reduces the pressure on a user to create and remember good passwords.” Adopting SSO as a technological solution removes the burden on end users and allows unique, high-entropy passwords to be automatically created and entered into login forms. Without relying on individuals to memorise passwords, there is no human factor limiting the complexity of passwords, or the number that can be memorised. Passwords can even be removed altogether for many applications by deploying secure tokens in their place via SAML or OIDC, eliminating the problem entirely and removing end-user friction.

Centralised control and enforcement

With employees no longer responsible for managing, creating and entering passwords, the business is able to regain control of secure access to applications. Password and security policies can be centralised, mandated and enforced across all applications without reliance on the inherent weaknesses created by end-users. Even third-party apps which were previously out of sight of the IT department can be brought within the governance of the corporate password policy.

Solves the wider problems of passwords

As well as ensuring strong credentials are used to access applications, an SSO solution can also solve additional problems inherent to password-based authentication. Credentials can be shared securely between employees, and users can have their access revoked without ever seeing the passwords themselves. Because the passwords are undisclosed to users, credential phishing can be eliminated as a threat. Simply, if users don’t know passwords for applications, they cannot be phished of them.

Password policies which rely on end-user implementation miss the point of why password-based authentication is fundamentally insecure. They become self-defeating, as they require users to avoid practices which are only utilised in the first place because the demands of a typical password policy are themselves impractical and unrealistic for end users. The policy may feel like an effort is being made to address cybersecurity issues, but employees are ultimately being asked to perform tasks they cannot carry out, and the policy inevitably fails to deliver what it sets out to achieve.

According to the NCSC, which recommends SSO and Password Management as a solution to the problems of password-based authentication, “Your system's security should always rely on effective technical defences rather than depending on unachievable user behaviour.” The most effective way, therefore, for organisations to ensure strong passwords is to take the responsibility for creating, managing and entering them out of the hands of employees with Single Sign-On. This enables enterprises to solve the problems that passwords create at their core, putting the organisation in control of secure access to corporate resources and allowing employees to do their jobs in a secure, productive working environment.

Find out more: How IAM can take your organisation from password-based to passwordless.