Secure Your Account: G Suite Admins Can Request Stronger Passwords
Years ago, technology companies realized that people aren't very good at managing their passwords correctly, and they've been trying to find a way of solving the problem ever since. Many of them seem to think that the only way of doing it is to abolish passwords altogether.
As we all know, most smartphones and tablets now come with fingerprint readers, and face recognition is becoming ever more present. Biometrics isn't the only field that's under development. Microsoft recently announced that users can avoid entering usernames and passwords and can instead log in to their accounts with U2F devices. The war on passwords is raging, but are the Silicon Valley giants winning.
Not really. Although you can probably unlock your phone with your fingerprint, you still need to set up a PIN code or a password as a backup option. The same goes for virtually all alternative authentication methods. The password, for all its faults, is here to stay, and Google thinks that they can improve it by giving G Suite administrators a few more boxes to tick.
New settings are supposed to make people use stronger passwords
A couple of weeks ago, Google updated the G Suite administration dashboard and introduced a few new options in the Security > Password management section. Many organizations use G Suite applications, and the compromise of a single account can often have massive implications on the security of a whole lot of data. Ensuring that employees use strong passwords is extremely important, and the idea behind these new options is just that. But can they really achieve the desired effect? Let's take a closer look.
There is now a checkbox named "Enforce strong password". We'll gloss over the fact that "password" should be in its plural form, and we'll instead focus on what this setting does. If enabled, it will make sure that creating accounts with weak passwords will be impossible. Existing users who don't have a strong password will also be forced to pick something more appropriate.
When they make changes to the settings, administrators can choose when the new password policy comes into effect. It can be enforced at the next login, which, for many organizations means "tomorrow morning", or it can be implemented at the next password change. Speaking of changing passwords, another new feature lets administrators choose what sort of shelf life passwords will have. They can force users to change their passwords every 30 days, 60 days, 90 days, or annually.
The last new box G Suite administrators can tick stops users from changing their password to one that they've already used on Google's web apps. The idea is to stop people from rotating the same two or three passwords over and over again.
The overall goal is to make it easier for administrators to create good password policies that users can easily stick to. Unfortunately, as with many other things related to online security…
It's easier said than done
Trying to force users to use a strong password can backfire easily. If your password creation rules are too loose, people will just add "123!" to the name of their dog. At the same time, if you ask them to create and remember a 20-character password that contains all sorts of symbols, they will inevitably fail to do it and will spend every other morning going through the password reset procedure and ruining their productivity.
And while you can't argue with the fact that rotating the same passwords defeats the purpose of frequent password changes, some experts reckon that having passwords expire in the first place is completely unnecessary. They think that forcing people to change their passwords without any obvious reason is the equivalent of trying to fix something that isn't broken. They also say that it brings additional risks.
Ultimately, sysadmins are the only people that can decide whether they'll have a password expiration policy or not. What they must remember is that even if it works correctly, it won't be enough to ensure that users have good password hygiene. The only way to do that is to introduce dedicated tools like Cyclonis Password Manager that generate, organize, and store long, unique passwords.