Should We Let Employees Create Their Own Passwords?

Should We Let Employees Create Their Own Passwords?

Of course, this seems like a ridiculous question. Your employees are adults, and they can take care of their own identities and security. Surely, there is no need for your IT security team or Help Desk to babysit them as they build their passwords…right?

However, this is not a rhetorical nor a truly unreasonable question. Your enterprise may not want your employees to generate their own passwords. Assigning them passwords instead might be a much better solution to your password management woes.

Why is this the case?

Passwords In the Identity Security Scene

Passwords remain a key component of the majority of enterprises’ identity security and access management policies. Many are slow to adopt multifactor authentication schemes into their cybersecurity platforms, despite experts proclaiming almost unanimously that multifactor authentication is a far more secure method of access management.

Additionally, even with the advent of multifactor authentication, passwords remain a crucial authentication factor. They are typically the “something the user knows” so often paired with the “something the user owns” i.e. a hard token or a biometric factor like a fingerprint.

Of course, in the more common single factor authentication policy, users are only required to supply a username and password. The strength of this access management system thus depends entirely on how strong the passwords are and who knows them.

Therein lies the rub.

Password Strength is Inherently Faulty

Did you know there are actually users out there using “password1234”?

Most likely you did. Users still employing simplistic passwords has been a well-advertised problem in identity security for many years. Weak passwords like “123456” and “qwerty” essentially lay out the welcome mat for hackers and insider threats. They are easily guessed or cracked, and even a low-privileged password in roguish hands can cause serious damage.

Here’s a similar question to which you may not know the answer: how many of your employees use passwords like that in your network?

This should, of course, provoke anxiety in your enterprise and among your security team. However, even a strong user-created password is not necessarily more secure than a weak one. Many users and employees repeat their passwords rather than create a new one for every account; most users have several dozens accounts to memorize which can prove overwhelming. With the modern prevalence of enterprise data breaches, many passwords have ended up in hackers’ hands already. These are often employed in credential stuffing and other similar cyber attacks, which can cause a cascade of future data breaches.

This doesn’t begin to explore the possible consequences of employees sharing their credentials with one another or worse writing down their credentials on a piece of paper.

So what can your enterprise do?

Start Assigning Passwords

Again, this may seem tyrannical, but assigning employees their credentials rather than allowing them to create their own has many potential benefits:

  • No chance of employees repeating their passwords on your network.
  • Streamline password recovery efforts, and easing the transition to self-service password recovery.
  • Ensure all credentials follow identity security best practices in terms of composition and strength.     

Obviously, there are potential downsides to this system, such as generating employee resentment and provoking security workarounds; many won’t be used to this kind of system and without security training will fail to see the purpose of it. Additionally, assigned passwords also can’t prevent issues like failing to follow the principle of least privileges or fix the inherent weakness of passwords compared to authentication factors like biometrics. At best, they can only strengthen the rather shaky single-factor authentication scheme.

To counteract this, your enterprise should consider incorporating your password assignment policy with an identity and access management or a biometric authentication solution. Only with that knowledge can you rest easy, knowing your employees’ identities are safe from unscrupulous threat actors.   

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner