Do you still experience pushback on implementing robust password policies at your organization?

Security & GRCIdentity & Access Management (IAM)Data Privacy
2k views2 Upvotes5 Comments
CISO in Software, 201 - 500 employees
It's a constant battle because the more complex and difficult you make the password, the more people will write them down on a piece of paper. A company I once started with uses Workday for HR; they had a problem setting up my account and so they reset the password manually. This is Workday, so my bank accounts and their routing numbers are in there, as well as my emergency contacts and my address. I got an email from the help desk person who said they reset my password to the company name with one really common number letter substitution, like “123".

So of course I had to send an email to this help desk person explaining that while this password meets the complexity requirements of the company on the surface, that is not a secure password and that the first thing any decent hacker will do—even a kiddie scripter—is write a custom dictionary for their brute force attempt that includes common combinations of your company name and things about your company with 123 after it. The icing on the cake was that the system didn't even prompt you after they changed my password to reset it.
2 Replies
CISO in Software, 51 - 200 employees

So imagine all the people that didn't change the password.

2
CISO in Software, 201 - 500 employees

Yep.. scary stuff..

CISO, 201 - 500 employees
I once had a situation where the CFO of the company had a problem with the password rotation policy. Instead of changing the password every 90 days, he wanted to use a weird calculation, a random number. I asked why and he said, "I rotate my passwords and there is a sequence at the end. I remember the passwords because they coincide with the quarter." I laughed and explained that if somebody gets ahold of his password, they pretty much have his life plus his future password changes. Because you're constantly rotating the password, you think that you're flying below the radar but technically you're giving away your life.

When you come across those scenarios, you just have to chuckle and try to explain. And of course, we didn't really accommodate his recommendation. But his recommendation came in as, "Can you guys consider this while you're writing your policies?" Just because people are in high positions doesn't mean that they're thinking everything through.
1
Director of IT in Software, 201 - 500 employees
Not as much as in the past. Investing in cybersecurity trainings for employees make them more aware and acceptable of the need for more complex passwords.
Its still not a smooth ride but it’s getting better

Content you might like

Do you have policy and procedure governing electronic communications, including chat channels/mechanisms such as We Chat or WhatsApp and Text messages given DOJ guidance to include third party messaging apps as an area to regulate? Are employees forbidden from using unapproved electronic communications channels or are you providing corporate accounts? Do you offer training? Do you monitor communications and audit compliance? Do employees acknowledge compliance with approved communication channels? What is retention period on communications?

Collaboration SolutionsData PrivacyRegulatory Compliance
364 views

Does anyone have any guidance, tips, and/or templates to share to help establish Identity Access Management governance as a part of an overarching Identity Governance and Administration program?

Process ManagementIdentity & Access Management (IAM)
694 views

In terms of the overall level of risk associated with business data, where are organizations seeing the most risk today?

Security & GRC

Structured Business Data62%

Unstructured Business Data37%


529 PARTICIPANTS
1.9k views2 Upvotes

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
42.6k views131 Upvotes319 Comments

Should entry-level cybersecurity jobs require a certification?

Security & GRCTalent Sourcing & HiringTraining & Certification

Yes, it helps establish credibility.34%

No, it's a barrier to entry.44%

It's nice to have, but doesn't need to be a requirement.21%

I'm not sure.0%


502 PARTICIPANTS
1.7k views