If recent security breaches are anything to go by, the idea that passwords are the root of all digital evil wouldn’t fade away any time soon. From an enterprise perspective, resources within an organisation need to be restricted to authorised users, and individuals’ passwords need to be checked for the same reason and to stay protected.

Most organisations have created a contrivance by implementing stronger password policies, which, in the end, require employees to remember two or more passwords across application, network, and infrastructure protocols and end up being stifling.

In fact, most employees find it cumbersome to remember two or more strong passwords, so the policy becomes skewed and results in network security lapses and more help desk requests to reset lost passwords. This, in my view, is what I refer to as the Password Policy Paradox — the claim that requiring too many strong passwords will reduce overall security posture.

While there isn’t a one-size-fits-all approach to authentication, biometrics offer the strongest form of authentication, but it is quite pricey and out of range for most organisations. Tokens are very effective; likewise, the financial services sector has been the largest adopter of this technology to date. Token-based systems are also very expensive to deploy, making passwords the most viable, common-denominator solution for most operations.

A password-based security scheme is the best option for most organisations, but there may be challenges in adopting it as a single strategy for securing the baselines and perimeter. Passwords can be a burden for users who need to access business and mission-critical data online. Striking a balance between end-user convenience and effective security and password policies is as crucial as ever. The seamless flow of data must keep pace with the tide of a major security breach.

In developing password policies, it’s imperative to consider the paradox of password security. A weak policy is inherently insecure, but an overly stringent policy will lead users to break the rules. Practices like writing passwords on sticky notes or storing them in unprotected files will become more common. Requiring too many passwords has a negatively cascading effect on security.

There are solutions and strategies that can help mitigate the risks associated with making passwords your authentication model and weak passwords adoption, in no particular order:

– A Strong Password Policy: Implementing a stronger password policy is the most elementary alternative for increased security. In an ideal scenario, the security progress flowchart would follow this trajectory: the organisation would establish a stronger password policy, employees would follow it, and corporate data would be secured. As simplistic as it looks, the ideal scenario wouldn’t work. The single most important thing for an end user when creating a password is to make it harder to guess and easier to remember. This is easier said than done. A strong password is measured by these combinations — letters, numbers and symbols. Users should be discouraged from using words found in the dictionary in case of a dictionary attack.

Passwords should be at least six characters long and should not contain any personal information such as your child’s name, telephone number, home address, user’s name or date of birth, to mention but a few. A combination of letters, numbers and symbols would work best. It’s also crucial to use a variety of uppercase and lowercase letters to make passwords undecipherable.

Organisations must train their employees in several competencies to stay ahead of attackers and dispel the false sense of security prevalent in many organisations. Users must change their passwords once every three months. Organisations must adjust their authentication processes and systems to comply with stronger password requirements.

– Password Synchronisation: This permits users to have a single password, dependent on the existing security policies that grant access to multiple machines, devices and systems. It can be used, for example, to synchronise passwords between a Windows-based system and a Linux system. This process is easier for users because only one password needs to be remembered, creating a more secure environment. Besides, there’s a downside to this strategy. The system will only be as secure as the most insecure application.

Take, for instance, if one application only allows a weak six-character authentication process, which limits the password to just letters and not numbers and is not case sensitive, all the other applications in the stack will be weak likewise. Insecure systems shouldn’t be included in password synchronisation schemes, as they defeat the purpose of such strategies. In an enterprise environment, password synchronisation must be stored and/or transmitted across the network, and the process itself must be secure. Password synchronisation can be an effective tool, but its effectiveness depends on the nature of the applications being synchronised and their internal security policies.

– Single Sign On: SSO is an authentication process that allows users to log in just once to gain access to resources and files. It’s the same as the One Time Password. SSO is an additional layer that sits on top of all applications and web resources. The advantage of SSO is that users need to remember only one strong password. A single sign-on helps track users and identify duplicate accounts, but it can also pose risks, as SSOs often don’t integrate seamlessly with third-party systems.

Moving forward, the industry must move beyond this current password system. The password system is broken. Despite concerns about privacy and hacking, users and employees still choose weak passwords. As the New York Times Ashley Vance succinctly puts it, “One out of five web users still decides to leave the digital equivalent of a key under a doormat; they choose a simple, easily guessed password like ‘abc123’, ‘iloveyou’ or even ‘password’ to protect their data.”

We keep as many passwords in our heads as we did a little over five years ago — ATM PINs, Internet Passwords, Voice-Mail Passwords and this could be very disconcerting. Instead of a one-size-fits-all approach that has been the norm since the advent of the Internet, advocating a flexible password policy tailored to mitigate risks could provide the needed momentum for our drive towards a holistic authentication process.