Do you still experience pushback on implementing robust password policies at your organization?

2k views2 Upvotes5 Comments

CISO in Software, 201 - 500 employees
It's a constant battle because the more complex and difficult you make the password, the more people will write them down on a piece of paper. A company I once started with uses Workday for HR; they had a problem setting up my account and so they reset the password manually. This is Workday, so my bank accounts and their routing numbers are in there, as well as my emergency contacts and my address. I got an email from the help desk person who said they reset my password to the company name with one really common number letter substitution, like “123".

So of course I had to send an email to this help desk person explaining that while this password meets the complexity requirements of the company on the surface, that is not a secure password and that the first thing any decent hacker will do—even a kiddie scripter—is write a custom dictionary for their brute force attempt that includes common combinations of your company name and things about your company with 123 after it. The icing on the cake was that the system didn't even prompt you after they changed my password to reset it.
2 Replies
CISO in Software, 51 - 200 employees

So imagine all the people that didn't change the password.

CISO in Software, 201 - 500 employees

Yep.. scary stuff..

CISO, 201 - 500 employees
I once had a situation where the CFO of the company had a problem with the password rotation policy. Instead of changing the password every 90 days, he wanted to use a weird calculation, a random number. I asked why and he said, "I rotate my passwords and there is a sequence at the end. I remember the passwords because they coincide with the quarter." I laughed and explained that if somebody gets ahold of his password, they pretty much have his life plus his future password changes. Because you're constantly rotating the password, you think that you're flying below the radar but technically you're giving away your life.

When you come across those scenarios, you just have to chuckle and try to explain. And of course, we didn't really accommodate his recommendation. But his recommendation came in as, "Can you guys consider this while you're writing your policies?" Just because people are in high positions doesn't mean that they're thinking everything through.
Director of IT in Software, 201 - 500 employees
Not as much as in the past. Investing in cybersecurity trainings for employees make them more aware and acceptable of the need for more complex passwords.
Its still not a smooth ride but it’s getting better

Content you might like

Structured Business Data62%

Unstructured Business Data37%


1.9k views2 Upvotes

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.6k views131 Upvotes319 Comments

Yes, it helps establish credibility.34%

No, it's a barrier to entry.44%

It's nice to have, but doesn't need to be a requirement.21%

I'm not sure.0%