A mentor at work directed me to a fascinating statistic in the 2017 Verizon Data Breach Investigations Report.  

Password security is something we rant about.  Over.  And OVER.

Yet we’re doing something wrong.  Look above:  81% of hacking related breaches leveraged stolen and/or weak passwords.  81%.

Let’s be clear:  This isn’t the number of passwords stolen, this is the percentage of passwords used to breach a company.  Our practices are failing to secure our user’s passwords, and it is biting us in the ass.

And why?  Because we’re making policies on passwords instead of imagery.  We’re teaching them passwords are a requirement.

Teach them that passwords are keys.  Would you want a simple key on your Ferrari?  A basic key for your house?  Would you accept a key that most other people have for your bank account?

Teach them then how to protect their keys.  Teach them the dangers of reuse, how attackers can use the same password for different accounts if the password is the same.  Teach them complexity, how mathematical permutations are the safeguard against cracking.  Teach them to use password management software , and guide them in picking good solutions.  Use breach notification services.  Stop making them change passwords if they use good practices!  We’re confusing and frustrating, we’re making FUD (fear, uncertainty, and doubt).

And when you make FUD, you fail at security.