Password policies – How Well Do They Work?

Password policies – How Well Do They Work? - image Passwords on


Today’s blog topic is Password Policies. Almost every organization has a policy administering password configuration and change requirements. We will discuss how effective they are, or not, in preventing compromised credentials attacks.

Should you change your passwords frequently?

The upsurge in the online services, coupled with the focus on security, has created a need for an ever-increasing number of constantly changing passwords.

As if that is not difficult enough, passwords must be complex and conform to different organizations’ configuration requirements. It’s no wonder that IT Support groups must handle so many Password Reset Requests.

Most people have remote access to company systems, shop online, bank online and have numerous rewards programs. With so many accounts to maintain, password management has become a task as demanding and necessary as balancing a checkbook.

Everyone is trying to create their own mechanism for coping with the overload of passwords. As a result, people take shortcuts, the most common of which is using the same password for multiple accounts. The second most common shortcut is that people use a password change strategy known as “transformation.” Read more about password transformation later in the post.

The answer to the question in this section header is – MAYBE. You should definitely change a password if:

    1. You have reason to believe it has been compromised
    2. You realize the password is easy to crack
    3. You are using the same password on multiple sites

Acknowledgment: Graham Cluley, May 26, 2016


Should you should make it a common practice to change passwords frequently?

While some organizations enforce it as a best practice, there is a great deal of alternative opinion among experts. The disagreement stems from the view that people are known to take the shortcuts mentioned above. Microsoft, for example, requires a different password every 3 months and users cannot repeat the last 24 previous passwords.

Human Memory and Password Length

Choosing a longer password as a way to make stronger passwords does not always help. They can be more effective when combined with numbers and special characters, but may then be more difficult to remember. It has been observed that the humans work best with the “magical” number 7. That seems to be the easiest for people to remember while still enabling a level of complexity. Passwords that exceed 9 characters are more difficult for people to remember.

Password Selection and Memory Methods

  • Users may write passwords on sticky notes attached to their monitor, in the drawer or under the keyboard.
  • Users with numerous accounts reuse their password in multiple accounts so they do not have to remember a new one.
  • When changing passwords, users will often choose passwords that are similar to the previous password.
  • Adding Two-Factor Authentication can improve password security, but 2FA authentication is not perfect can be hacked.

Organization Password Policies Defeated

Most organizations have a password reset policy, typically every 60-90 days. They probably also have a password strength policy. The failure of these policies in this lies in human nature. If the organization is enforcing regular password resets, users tend to choose passwords that are similar to, that is; transformations of the previous password. These are examples of password transformations. The password “jackJAN” becomes “jackFEB,” then “jackMAR” and so on. It is common for people to do this because the passwords are easy to remember.

Password transformation compromises security in several ways.

  • If a previous version of the password has been compromised
  • Hackers have built algorithms specifically to crack transformed passwords
  • Transformed passwords are easy to crack using rainbow tables, or dictionary attacks

Researchers simulated online attacks using algorithms to crack transformations.

17 percent of the accounts were hacked in fewer than five attempts
41 percent of the changed passwords were cracked within three seconds
Acknowledgment: Schneier On Security, Aug 5, 2016


Some organizations generate “default” passwords. While these may be strong, they hold no meaning or relevance to the user, so they are hard to remember. When the frequent change policy is enforced on default passwords; it only compounds the difficulty for the user. Many resort to writing the password on a paper kept on their desk, or worse yet, they store it their e-mails or in a file on a local drive. Those “password memory” techniques create another kind of security risk that is hard to detect and even harder to mitigate.

As long as the burden of remembering passwords and creating passwords falls on the user, passwords will remain the weak link in the security chain.

If you use Two Factor Authentication (2FA) and think your credentials are safe from hackers, you are mistaken. The commonly used 2FA methods are – Hardware tokens, SMS-based tokens, Software based tokens, PKI-based and Grid-based authentication. We have observed numerous 2FA security incidents. Read more about 2FA vulnerabilities.

What Can Be Done?

We all need to recognize that hackers and security breaches are here to stay. There are no perfect security methods.

  • Organizations need to be aware that even though various password policies are enforced, users tend not to be cautious.
  • Organizations should understand the limitations of machine generated and user generated passwords and the predictable human behaviors with each type of password.
  • Remote user accounts and administrative accounts should be prioritized differently.
  • Protective monitoring should be implemented, and user account lockout should be incorporated and activated when needed.
  • Organizations must recognize that having a strong password policy and enforcing frequent changes, by itself, is not enough to prevent Account Takeover Attacks.
  • Individuals should change their passwords if they:
    • have reason to believe they have been compromised
    • realize the password is easy to crack
    • are using the same password on multiple sites


VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession.  Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.

Spread the word. Share this post!

Want to find out the two emerging compromised credential trends that could affect your exposure to risk? Contact us today.

Request Trial

Three ways to get in touch with us


We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to

Start a Free Trial