Do you still experience pushback on implementing robust password policies at your organization?

Security & GRCIdentity & Access Management (IAM)
2.1k viewscircle icon1 Upvotecircle icon5 Comments
Sort by:
Director of IT in Software4 years ago

Not as much as in the past. Investing in cybersecurity trainings for employees make them more aware and acceptable of the need for more complex passwords.
Its still not a smooth ride but it’s getting better

CISO4 years ago

I once had a situation where the CFO of the company had a problem with the password rotation policy. Instead of changing the password every 90 days, he wanted to use a weird calculation, a random number. I asked why and he said, "I rotate my passwords and there is a sequence at the end. I remember the passwords because they coincide with the quarter." I laughed and explained that if somebody gets ahold of his password, they pretty much have his life plus his future password changes. Because you're constantly rotating the password, you think that you're flying below the radar but technically you're giving away your life.

When you come across those scenarios, you just have to chuckle and try to explain. And of course, we didn't really accommodate his recommendation. But his recommendation came in as, "Can you guys consider this while you're writing your policies?" Just because people are in high positions doesn't mean that they're thinking everything through.

Lightbulb on1
CISO in Software4 years ago

It's a constant battle because the more complex and difficult you make the password, the more people will write them down on a piece of paper. A company I once started with uses Workday for HR; they had a problem setting up my account and so they reset the password manually. This is Workday, so my bank accounts and their routing numbers are in there, as well as my emergency contacts and my address. I got an email from the help desk person who said they reset my password to the company name with one really common number letter substitution, like “123".

So of course I had to send an email to this help desk person explaining that while this password meets the complexity requirements of the company on the surface, that is not a secure password and that the first thing any decent hacker will do—even a kiddie scripter—is write a custom dictionary for their brute force attempt that includes common combinations of your company name and things about your company with 123 after it. The icing on the cake was that the system didn't even prompt you after they changed my password to reset it.

2 Replies
no title4 years ago

So imagine all the people that didn't change the password.

Lightbulb on2
no title4 years ago

Yep.. scary stuff..

Content you might like

Which best describes your knowledge of the number of IoT devices (both managed and unmanaged) in your system’s network?

I know the exact number19%

I don't know the exact number, but have a dashboard that can tell it to me.62%

We don't have a way to determine that number currently.18%

View Results

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

No Increase17%

1-5% increase46%

6-25% increase24%

26-50% increase7%

51-75% increase1%

76%+1%

Other2%

View Results