Update Password? Here Is A Password Update...

Human error is the weakest link in network security. This include using weak passwords and falling for phishing and social engineering attacks.


What’s The Problem?

A  current big problem with password policies today we likely spend way too much time on them. But shouldn’t we? Overall, even with weak passwords at least temporarily, being involved in 30% of ransomware attacks, exploitation’s due to password issues is still a much smaller risk when compared to social engineering and unpatched software. Phishing and social engineering is responsible for 70% to 90% of all breaches. Unpatched software is involved in 20% to 40%. Together, they account for 90% to 99% of all successful breaches. Everything else added up all together, including password issues, only accounts for maybe, at the most, 10% of all breaches. So if you’re spending days and days debating what your password policy should be, but not also spending days and day improving the controls you use to mitigate social engineering and unpatched software, you’re spending too much time on passwords (Roger Grimes – KnowBe4).


So, what’s the best password policy?

So, what’s the best password policy? Focus on fighting social engineering and patching unpatched software until you get those issues dealt with to the point that they are no longer the top two biggest issues by far. That’s the better fight.

A Few Password Tips (Roger Grimes – KnowBe4):

  1. Use multi-factor authentication (MFA) 
  2. Where MFA is not an option, use password managers where you can, creating unique, long as-possible, random passwords for each website or security domain.
  3. Where password managers aren’t possible, use long, simple passphrases.
  4. Change all passwords at least once a year, and change business passwords every 90 to 180 days.
  5. In all cases, don’t use common passwords 


Most importantly, regardless of your password policy, never reuse any password between different sites!