Anytime a system gets hacked the first thing we’re told to do is “change your password”. Following through with this advice is a smart move since it prevents stolen information from being used to gain access to users’ accounts. However, there is a challenge that arises in implementing this solution: the user.
While most large scale security breaches are from external attacks, the user of a system can create large and devastating security vulnerabilities. These largely stem from how users implement your system’s password requirements and their own bad habits in creating/managing their passwords.
The bad habits of your users can come back to haunt you, especially if it endangers your organizations legal obligations. Recently, the US Department of Health and Human Services fined “New York Presbyterian Hospital and Columbia University Medical Center $4.8 million for the disclosure of nearly 7,000 medical records because of lax technical safeguards” (Boston Globe).
Weak passwords make hacking easier. Ask yourself, “Is not having a password policy worth being fined over?” No, it’s not. If your organization handles documents and information that needs to be secured and stored electronically then you should begin implementing a password policy.