Robust Passcode Policy for Improved Workplace Security: A CISO Guide

    “I’m not a robot”. Sure, you’re not, and that confirmation security net is to catch spambots. Humans have a beautiful and dangerous thing—the mind! A mind that creates robots and AI and ML algorithms—beautiful. A mind that can also find a way to breach or steal data—dangerous.  

    Ross Ulbricht, the notorious mind behind the dark web marketplace Silk Road, was arrested in 2013 and is currently incarcerated in a US prison. Yet, since the end of 2017, over 555 million passwords have been shared on the dark web. That’s a tormenting number for CISOs across the world. 

    Passcode Policy
    Passcode Policy from a CISO Perspective

    This blog intends to present the importance of passcode policy from a CISO perspective and the relevance Mobile Device Management (MDM) holds for the same.

    Impact of Poor or No Passcode Policy

    A report[1] amplifies the CISO ordeal. The average cost of a data breach in 2023 was USD 4.45 million. A 15% growth from 2020—faster than the global growth of many legit markets. And if the horror could get possibly worse—86% of organizational data breaches are due to compromised or stolen credentials, according to research[2].

    Data is the new real estate, and cybercriminals are well aware of that. A survey[3] found that 52% of people use the same passcode across accounts. While individuals keep falling prey to hackers through passcode breaches, the extent of reputational and financial damage to organizations is severe. 

    No wonder CISOs and their cybersecurity teams are experiencing burnout. Securing information has become an indomitable task in the ‘World Wide Web’ space. 

    But does it imply that organizations give in? That’s not even an option, right? The only option is to fight! And fight CISOs must! Organizational information security and policies involve many vitals, and passcode or password policies are one of those vital pulses. 

    As a CISO, you must make the most of passcode policies to raise the security bar of your organization. 

    Here are a few ways to do so.

    Don’t Keep It Simple!

    While the keep-it-simple-stupid (KISS) principle applies to many dimensions of life, it certainly has no room in your passcode policies. Keeping obvious and vulnerable passwords puts devices and networks to swords. 

    Talking about numbers, a study[4] is a dream come true for cybercriminals and the worst nightmare for CISOs. 

    • 31% use children’s birthdays or names as passwords (sorry, doesn’t make you a good parent!)
    • 34% use their partner’s or spouse’s birthdays or names as passwords (dumbest relationship goal ever!)
    • 37% use their employer name as passwords (is this loyalty? you’ve got to be kidding!)
    • 44% reuse personal account passwords at work (whatever happened to thinking capacity!)

    The focal point of any passcode policy must be to ensure that every password must be unique, complex, and lengthy. Mixing numbers rather than keeping a series (like 1234) is a good place to start. Changing certain letters as numbers helps too. 

    As per analysis[5], a password that contains 12 characters or more is a staggering 62 trillion times tougher for cybercriminals to hack than one with 6 characters. And yes, the strongest password is the one with 16 characters which has been extracted from a set of 200. 

    For instance, dogpersonsince1984 ticks the length box, but D0gP3rS0nS1nc39t3eN84 ticks the length, strength, and complexity boxes. The latter isn’t easy to hack by any means, and if passwords like that or d3AtHByCh0c0la8 too get compromised, maybe that hacker deserves to be a part of your security team. 

    Now that brings us to the stolen part. Let’s peek into that again via the report numbers (mentioned above[4]). 57% of employees write their passwords on sticky notes. 55% of them save on their phones and 51% on computers. These are very subjective numbers and intangible, too; therefore, they are something beyond what you can control. As a CISO, ensuring employees avoid the KISS principle and keep passwords like 1Am4r0MOuT3r5PaC3 is what you can control. 

    “Don’t KISS” has to be the thumb rule of any passcode policy.

    If It’s Strong, Why Change?

    Many organizations have a passcode policy that requires changing passwords frequently. Is that a necessity? Well, you can do without frequent password changes when employees follow “Don’t KISS”. Strong and complex passwords, like some mentioned above, have very little or no chance of getting hacked. 

    Employees will generally refrain from strong and complex passwords if they need to remember a new one every now and then. That’s when weak passwords (like Amanda@123) creep into your network system. But enforcing a periodic password change is great for overall security posture and is harmless! Discretion is needed, though.


    If you’re missing out on MFA or multifactor authentication in your passcode policy, don’t wait any further; implement it right away. MFA helps keep passwords secure as users need to log in with some specific information or action rather than just a password. OTPs, once only a BFSI thing, are now commonplace. 

    If e-commerce can go to the lengths to secure your account with an OTP, you can do your bit as well to secure your corporate data. FIDO authentication is another great option. MFA adds an additional layer of security to devices. Thus, even if the password is compromised, a hacker still needs one or more types of authentication to sneak in. 

    Train People and Spread Awareness

    Some CISOs are just fine with employees having the organizational passcode policy somewhere in their unread mail or in some work folder that was last visited on the day of joining. That’s where the thin line between a good CISO and a great CISO lies. Great leaders of security teams know that passwords are the primary gateway to information access. Therefore, a CISO must keep training people and spreading awareness about the importance of passcode policies. 

    Employees should know the repercussions of non-compliance based on their role in the organization. Keep the repercussions as serious as hefty financial penalties or even suspension and subsequent termination when passcode policies are not adhered to after repeated training and warnings. 

    Sooner or later, there’s every chance of passcode policies becoming ZTP (zero-tolerance policy), just like other non-negotiable workplace offenses. Why wait for a data security disaster? Why not make it a ZTP today?

    Using an MDM solution helps you heighten device and network security. You can push your passcode policy across a diverse range of devices through MDM, irrespective of the device or OS type. MDM lets you send security alerts and notifications and allows you to keep track of login sessions. Your security team will be notified instantly if there’s a case of multiple failed login attempts on one of your MDM-enrolled devices. You can then investigate the matter and take the required action, including locking the device and wiping its data on accounts of loss or theft. 

    Yes, You Can Keep A Secret

    There’s plenty to discuss with friends and family over some food and drinks. Passcode policy doesn’t fit in that discussion; in fact, it doesn’t fit in a discussion anywhere or with anyone. The only people a CISO should discuss passcode policies with are the IT team and direct authorities. 

    Mr. Hacker, Welcome Aboard

    You don’t have to be a cybercriminal to think like one. Foresight and innovation are marvelous traits for a CISO to possess. You can hire a professional hacker on an annual contract and ask this good cyber actor to attempt and hack into your device or network. This will espouse your passcode policy as you will become informed about any or all password-based loopholes in your organizational security. It will also keep you updated on how the bad actors prowl. You can then beat them at their own game!

    Embrace Passcode Policy with Scalefusion

    Capitalizing on a well-oiled passcode policy can consolidate organizational security. And as a CISO, that’s your KRA right there. An MDM solution like Scalefusion can help enforce stringent passcode policies across managed device fleets. You can set parameters such as length, complexity, change interval, failed login attempts, and more.

    Time to raise your organizational security bar by reaching our experts for a free demo. Enjoy a 14-day free trial by signing up now!

    1. IBM
    2. Google Cloud – Threat Horizon
    3. Google / Harris Poll
    4. Keeper Security
    5. Scientific American

    Abhinandan Ghosh
    Abhinandan Ghosh
    Abhinandan is a Senior Content Editor at Scalefusion who is an enthusiast of all things tech and loves culinary and musical expeditions. With more than a decade of experience, he believes in delivering consummate, insightful content to readers.

    Product Updates

    Introducing Staggered Deployment for Android

    We're excited to unveil a new feature to simplify app deployment: Staggered Deployment for Android Enterprise and Recommended Applications. This feature is designed to...

    Introducing Maker-Checker: Enhancing Decision Making on Scalefusion

    In a world where human and technological imperfections coexist, having an extra pair of eyes never hurts, especially when dealing with large device inventories....

    Introducing Scalefusion ProSurf: A Secure Browser for Windows Devices

    We're thrilled to introduce Scalefusion ProSurf for Windows—a browser that delivers secure and controlled browsing experiences on managed Windows devices. Scalefusion ProSurf empowers organizations...

    Introducing Apple ID-driven Enrollment: Modern BYOD for iOS Devices

    We are excited to announce the launch of Apple ID-driven user enrollment. Enterprises can now leverage full-blown BYOD for iOS devices by enabling a...

    New Enhancements to Scalefusion Deployer

    At Scalefusion, we practice the art of continuous improvement. It stems from our mission to solve the everyday challenges of IT admins. We kick-started...

    Multi-Factor Authentication (MFA): The Extra Layer of Security for Your Accounts

    Ever thought of the risks associated with accessing sensitive data using just a single set of credentials? Enter user...

    What is Identity and Access Management? Who Gets Access and Why?

    Imagine a situation where a stolen password exposes critical corporate information to bad actors. Your IT and security teams...

    Must read

    Introducing Maker-Checker: Enhancing Decision Making on Scalefusion

    In a world where human and technological imperfections coexist,...

    Introducing Scalefusion ProSurf: A Secure Browser for Windows Devices

    We're thrilled to introduce Scalefusion ProSurf for Windows—a browser...

    More from the blog

    Addressing IT Management Challenges for SMBs

    Budget constraints, resource crunch, industry regulations, top and bottom lines, and so much more. There are a host of challenges that SMBs must grapple...

    Understanding LDAP: The Lightweight Directory Access Protocol

    Lightweight Directory Access Protocol, or LDAP, isn’t a new kid on the block. In fact, its history dates back to 1993. Tim Howes and...

    Who Verifies Your Identity Online? Understanding Identity Providers

    Hey You! The eternal Pink Floyd song! Decades later, a similar question beckons us online in a world outside that musical masterpiece. It goes...

    From Onboarding to Offboarding: User Lifecycle Management Explained

    It’s always exciting for organizations when their business scales well, and with that, there’s an increase in their employee base. This also means onboarding...