{"id":3968,"date":"2018-11-15T16:18:58","date_gmt":"2018-11-15T20:18:58","guid":{"rendered":"https:\/\/solutionsreview.com\/identity-management\/?p=3968"},"modified":"2018-11-15T16:20:45","modified_gmt":"2018-11-15T20:20:45","slug":"let-employees-create-passwords","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/identity-management\/let-employees-create-passwords\/","title":{"rendered":"Should We Let Employees Create Their Own Passwords?"},"content":{"rendered":"

\"Should<\/p>\n

Of course, this seems like a ridiculous question. Your employees are adults, and they can take care of their own identities and security. Surely, there is no need for your IT security team or Help Desk to babysit them as they build their passwords…right? <\/span><\/p>\n

\t\t\t

\"Download<\/a><\/p>\n<\/div>\n\t\t<\/div><\/div><\/p>\n

However, this is not a rhetorical nor a truly unreasonable question. Your enterprise may not want your employees to generate their own passwords. Assigning them passwords<\/a> instead might be a much better solution to your password management woes. <\/span><\/p>\n

Why is this the case? <\/span><\/p>\n

Passwords In the Identity Security Scene<\/b><\/h3>\n

Passwords remain a key component of the majority of enterprises\u2019 identity security and access management policies. Many are slow to adopt multifactor authentication schemes into their cybersecurity platforms, despite experts proclaiming almost unanimously that multifactor authentication<\/a> is a far more secure method of access management. <\/span><\/p>\n

Additionally, even with the advent of multifactor authentication, passwords remain a crucial authentication factor. They are typically the \u201csomething the user knows\u201d so often paired with the \u201csomething the user owns\u201d i.e. a hard token or a biometric factor like a fingerprint. <\/span><\/p>\n

Of course, in the more common single factor authentication policy, users are only required to supply a username and password. The strength of this access management system thus depends entirely on how strong the passwords are and who knows them. <\/span><\/p>\n

Therein lies the rub. <\/span><\/p>\n

Password Strength is Inherently Faulty<\/b><\/h3>\n

Did you know there are actually users out there using \u201cpassword1234\u201d?<\/span><\/p>\n

Most likely you did. Users still employing simplistic passwords has been a well-advertised problem in identity security for many years. Weak passwords like \u201c123456\u201d and \u201cqwerty\u201d essentially lay out the welcome mat for hackers and insider threats. They are easily guessed or cracked, and even a low-privileged password in roguish hands can cause serious damage. <\/span><\/p>\n

Here\u2019s a similar question to which you may not know the answer: how many of your employees use passwords like that in your network? <\/span><\/p>\n

This should, of course, provoke anxiety in your enterprise and among your security team. However, even a strong user-created password is not necessarily more secure than a weak one. Many users and employees repeat their passwords rather than create a new one for every account; most users have several dozens accounts to memorize which can prove overwhelming. With the modern prevalence of enterprise data breaches, many passwords have ended up in hackers\u2019 hands already. These are often employed in credential stuffing and other similar cyber attacks, which can cause a cascade of future data breaches. <\/span><\/p>\n

This doesn\u2019t begin to explore the possible consequences of employees sharing their credentials with one another or worse writing down their credentials on a piece of paper. <\/span><\/p>\n

So what can your enterprise do? <\/span><\/p>\n

Start Assigning Passwords<\/b><\/h3>\n

Again, this may seem tyrannical, but assigning employees their credentials rather than allowing them to create their own has many potential benefits: <\/span><\/p>\n