Establishing a robust password policy

While passwords are intended to address the issue of authentication, they’re a source of considerable concern. We start with the problem of human nature. Insistence on complexity and uniqueness, along with regular changes, are typically considered among best practices in establishing password policy. But our natural inclination is to make things easy for ourselves; users typically set weak passwords because they’re easy to remember. Even worse, people tend to use the same easy-to-guess password, or variations on it, across multiple log-ins.

Complexity is the foundation of password security

It’s difficult to overestimate the importance of password complexity. A policy should set a character minimum, and also require the use of upper and lowercase letters, numbers, and special characters. Passwords should only be used once and checked against lists of known weak or compromised passwords. Passwords deemed unacceptable might include those obtained from previous breaches, recognizable “dictionary” words, repetitive or sequential letters or numbers, and context-specific passwords based on derivations of the username or service name.

Password expiry policies are detrimental to security

Many companies adhere to a policy mandating frequent password changes, with passwords commonly expiring after 90 days. However, this type of change policy is based on a threat model that no longer exists. Twenty years ago, it took hackers around 90 days to crack a password. Today though, a hacker can crack an average to bad password in the cloud in a matter of seconds. Studies have found that users who are required to make frequent changes choose weaker and more repetitive passwords. Employees who are required to frequently change their passwords also resort to regrettable methods to remember them – like the post-it note affixed to the bottom monitor. Ironically, password change requirements are little more than a placebo, and actually, increase the level of risk.

Moreover, the nature of the threat has changed, with password harvesting a greater risk than cracking. Cybercriminals have developed many methods for harvesting passwords: infecting computers with keystroke loggers, employing phishing websites, hacking text messages and more. If a password is compromised, the hacker will act in seconds. By the time the user gets around to changing the password, the damage has long been done. In May 2019, Microsoft itself validated the research on password expiry policies by discontinuing minimum and maximum password ages in the Security Baselines for Windows 10 and Windows Server build 1903.

Social engineering hacks are a significant threat

The vast majority of cyberattacks, somewhere north of 95% of all attacks, come in the form of social engineering hacks. In these types of attacks, the criminal depends on typical human behavior to gain access to information. They rely on trust or even simple error to gain access to information, including passwords. They can come through fake websites, phishing emails, fake transactions or faux IT support calls. The way to keep password information safe from these types of attacks is, first and foremost, to educate your workforce. Learning to identify and delete phishing emails unopened is a critical skill. Importantly, employees should be skeptical of any request for sensitive information. Never reveal passwords to anyone over the phone and avoid clicking on links embedded in questionable emails. Remember, social media and the wealth of personal information it reveals is a tremendous boon to hackers. A look at your Facebook posts can reveal your spouse’s name, your pets’ names, your birthday…all information people often use to create passwords.


Creating a robust password and keeping it secure are two of the most significant steps in maintaining information security. Every company should implement a password policy that focuses on complexity and random alphanumeric combinations. While multifactor and biometric authentication is playing an increasingly important role in security, the password will continue to be the foundational element of security in the near to medium term.


About the Author

Dan is the man behind the scenes but if you’re a client of ours, you likely have spoken with him. Dan Tomaszewski is our V.P. of Application Support and has the enviable job of supporting our clients around the clock. With over 20 years of experience in the financial services industry, he has built a career on supporting traders and operational clients in optimizing post-trading infrastructures. Dan can help solve your most complex operational challenges through the implementation of a variety of post-trade solutions including trade reconciling, allocating, flow, clearing, and risk.

Experience the Theorem Difference

Schedule a demo or open an account today!

Contact Us