Published: 28 August 2023
Despite shifts toward passwordless multifactor authentication, password use persists in many use cases and remains a significant source of risk and user frustration. Security and risk management leaders should craft simple, effective policies that are clear, actionable and easy to comply with.
Included in Full Research
Many password policies are tediously pompous, cursory or ambiguous, leaving readers confused about which rules apply to them, and how they are expected to behave.
Password policies typically reiterate onerous, historical rules that have little demonstrable security benefit, creating unnecessary friction for users and potentially encouraging nonsecure behavior. Regulations often enshrine such rules.
It is common for password policies to oversell the value of passwords as a cybersecurity control, and to mention multifactor authentication only as an afterthought, if at all.
Security and risk management leaders focused on identity and access management should:
To view the entire document, log
in or purchase