404 Network Ninjas

Cybersecurity

Your Password Policy Is a Joke (And Hackers Know It)

By Nick Cappello
Your Password Policy Is a Joke (And Hackers Know It)

I want to tell you the boring truth about how most businesses actually get hacked, because it’s almost never the dramatic version. It’s not a genius exploiting some obscure flaw in your firewall at 3 a.m. It’s an employee’s password from a data breach at some website that has nothing to do with your business — a shopping site, an old forum, whatever — getting reused on their work email, and someone finding it in a leaked list and just… trying it.

That’s it. That’s the sophisticated cyberattack. Someone tried a password that already worked somewhere else.

“We have a password policy”

Sure you do. It probably says passwords need a capital letter, a number, and a special character, and gets changed every 90 days. Here’s what that policy actually produces in the real world: Summer2024! becomes Summer2024!! three months later. Everybody knows this. The policy exists to check a compliance box, not to stop anybody determined enough to try.

Complexity rules mostly just annoy your employees into predictable patterns. What actually stops account takeovers is much less clever than a rule about special characters: multi-factor authentication. A second step — a text code, an app confirmation, anything — so that a stolen password alone isn’t enough to get in.

“It’s annoying” isn’t a real objection

I hear this constantly, and I get it — nobody enjoys the extra six seconds. But compare that six seconds to the alternative: an actual breach, the cleanup, the client notifications, the possible compliance fallout if you’re in healthcare or finance, and the calls you have to make explaining what happened. Six seconds is not the inconvenience you think it is.

The other thing that actually works and gets ignored: a password manager. Not a shared spreadsheet with “Passwords” in the filename sitting on a shared drive — an actual password manager, so nobody’s reusing “the one password” across fourteen accounts because remembering unique ones is impossible without help. It’s not glamorous advice. It’s just correct.

If you’re not sure whether MFA is actually turned on everywhere it should be in your business — not “we think so,” but actually confirmed — that’s a fast, concrete thing worth checking this week. We do exactly this kind of audit for clients, and it’s usually a much smaller lift than people expect, for a genuinely large drop in risk.