Four ways to make users love password security

When employees find the standard security measures of their organization cumbersome and annoying, it can significantly increase the risk of internal threats. For example, a recent report by Gartner stated that 69% of employees regularly ignored cybersecurity recommendations within their organization. This does not mean that such individuals deliberately create security risks to spite management. More often, it means they simply want to do their job without unnecessary distractions, considering cybersecurity measures as needless and time-consuming hassles.

Can cybersecurity inherently be combined with a pleasant user experience? 

Passwords are a prime example of the clash between cybersecurity and user experience. The average office worker might have up to 190 different login and password combinations. Naturally, remembering such an overwhelming number and matching them in one's mind to the required services is practically impossible.

61% of employees admit to reusing passwords as a way to cope with this situation. At the same time, most of them are acutely aware that such an approach can have dire consequences for the company's security. So, how can IT departments improve password security in their organizations, knowing that users are already burdened by these endless digital defense measures and have long prioritized convenience and speed, consciously sacrificing security.

Although many tech giants are currently actively promoting passwordless access technologies, eliminating passwords is unfortunately not yet a viable option for most organizations. That is why it is extremely important to choose the most effective security methods that can simultaneously provide a pleasant user experience. Below, we will explore four of the best ways to engage end-users in more responsible password use, in a way that they might even enjoy.

Key phrases for creating strong and memorable passwords

Hackers often use brute force methods to quickly try many different options in a row in an attempt to crack a specific account's password. They frequently combine these methods with dictionaries of known vulnerable passwords, including sequential passwords like "qwerty" or "123456," which users often apply. Shorter and less complex passwords are much more vulnerable to this method of attack, so the standard advice is to create longer passwords of certain complexity.

Of course, such requirements are a headache for users, who now need to remember a multitude of long and complex passwords, ideally consisting of 15 characters and above. One way to simplify this task is to suggest using key phrases instead of traditional passwords.

A key phrase is three or more random words strung together, for example, "Pig-Lion-Window-Night." At first glance, such a password may seem fairly simple and insecure, but even it contains 19 characters, special characters, and capital letters. These factors are enough to make brute force attempts take a vast amount of time. If a few more special characters or numbers are added, one can confidently assert that hackers stand no chance of success. The main thing is to use words that are not related to the company's activities or the personal data of a specific user.

Overall, key phrases are an excellent way for endpoint users to create longer and more complex passwords without increasing their cognitive load.

Recommendations and feedback

Asking an employee to create a new password often makes them feel as if all basic knowledge has left their mind, leading to a lengthy thought process that can take hours. "What password should I create that is both convenient and secure?" the user might think.

It is very important to be in touch with colleagues during such a difficult moment: to give clear recommendations and answer questions. No one should feel as if they are left to their own devices when taking steps directly affecting the security of the entire organization. Ideally, of course, an exhaustive memo with all recommendations and examples should be created so that the password creation process is quick and painless. But even such memos often do not cover all the needs and questions of users.

Providing dynamic feedback during the creation of a password is not only a learning opportunity for the user but also an instant check to see if the password meets the security policy requirements. By consulting with an IT specialist, employees can understand in real time whether their new password complies with the company's policy, and if not, why, and quickly correct it.

Password expiry based on its length

No one likes it when work is stalled due to the need to change a work password again. Sometimes this moment comes too quickly and even greatly irritates the most conscientious employees who take security very seriously. However, using passwords with an indefinite validity period is simply unacceptable in today's realities, as such passwords open many doors for cunning hackers. That's why the regular changing of passwords is so widely used by many organizations.

But why not turn a potentially negative user experience associated with the forced change of a password into a promising opportunity?

Password expiry depending on its length provides end-users with a choice. They can create a relatively simple and easy password that only partially meets the organization's requirements, but they will need to replace it again, for example, in 90 days. Or they can extend the length of the password and not touch this issue for as long as possible, for example, the next 180 days.

Instead of all employees facing a forced password reset every 90 days, a flexible validity period based on its length rewards users who choose longer and safer passwords. This solution provides the best balance between security and ease of use.

Continuous monitoring of compromised passwords

The previously discussed methods are quite effective in helping end-users create more reliable passwords and provide them with greater transparency and understanding of their organization's security policies. However, even reliable passwords can be compromised. And it's impossible to be 100% sure that company employees aren't using the same passwords to authorize themselves in several services at once. That's why it's necessary to have a way to promptly detect compromised passwords and quickly block potential routes for attacks.

Many cybersecurity solutions have the ability to periodically check user passwords against leaked lists of compromised credentials, but these solutions are not perfect, as monitoring is not conducted in real-time. The optimal solution would be to choose a security solution that continuously scans passwords for leaks and immediately notifies the administrator, or even automatically resets such a password, to not give hackers a second for potential compromise. The market for information security solutions is currently very diverse, so finding a product with such functionality should not be difficult.

Conclusion

Passwords do not necessarily have to provoke indignation and irritation. As we have seen above, by choosing the right approach to interaction between the IT department and users, this problem simply disappears on its own.

Using Passwork, the issues aforementioned evaporate. This tool helps organize the storage and access to passwords, making the process more manageable and secure. Key password phrases, feedback during password reset, length-dependent expiry, and continuous scanning for compromised passwords are excellent solutions that can significantly enhance the security of any organization.