Balancing security best practices and compliance with employee productivity has long been a challenging situation.
Password management specifically has been one of the main inhibitors of employee productivity, as well as one of the main detractors in employees’ digital experience.
Mandating unique passwords for every account or system can lead to user frustration, even in environments where access is enabled through Active Directory (AD). With tens of passwords to remember for both personal and professional accounts, employees are more likely to develop poor password habits and slipping digital hygiene. Forgotten passwords lead to more IT help desk calls, a bigger drain on additional company time, and continued frustration from all sides.
Not only do legacy password management approaches inhibit productivity, but they can also compromise corporate security.
The National Institute of Standards and Technology (NIST) now recommends against mandatory password resets and complexity requirements, due to their negative impact on both employee productivity and account security.
Requiring periodic password resets was long thought to counter employees’ poor password practices, especially choosing weak passwords, and reusing passwords cross-account. However, studies have shown mandatory password resets actually don’t enhance security, and instead just drain IT resources. Users circumvent the purpose of required changes by repeatedly choosing simple passwords, or just making small changes to a favored root phrase, because they know they’ll be required to change it soon.
In the same vein, password complexity requirements—such as including both upper- and lower-case letters, numbers, and special characters—have backfired, and instead resulted in users continually choosing highly guess-able passwords. While passwords like “Giants2023!” meets complexity requirements, they’re incredibly simple. Threat actors are way ahead of everyday human patterns.
So, how can companies help their employees secure their passwords?
The most efficient password management tactic is to screen all passwords against a list of commonly known and exposed credentials.
If companies can check that a password is secure, periodic password resets and complexity requirements quickly become redundant and inhibit security. However, “checking” isn’t necessarily easy. There are many lists of exposed credentials on the web and Dark Web, some are available for organizational security and others (the majority) are available for nefarious use and sales. Every time a data breach occurs, and customer, client, and employee credentials are exposed, these lists become outdated. So, if a company is looking to screen their passwords against a list, they need an ever-updated, dynamic list, informed by threat research.
Enzoic’s proprietary solution screens all proposed passwords against our continuously updated database, which contains billions of passwords previously exposed in data breaches and found in cracking dictionaries. We comply with NIST guidelines (to screen passwords at the point of creation) but crucially, we vet their integrity on an ongoing basis. Our database automatically updates multiple times per day, ensuring every organization’s password security reflects the latest breach intelligence without requiring the IT department to shoulder details or upload new lists.
With Enzoic, verifying password integrity happens entirely in the background and can help you strike the right balance between password security and employee productivity. If an employee’s password is compromised, companies can automate the responses. This lifts the burden of password security off the users, leaving employees to focus on their work.