What would security controls look that enforce poor cyber hygiene?
Control ID: ID-10T
Control Name: Promotion of Ineffective Password Practices
Control Family: Identification and Authentication (Organizational Users)
Control Statement:
The organization shall ensure that all users:
- Select passwords that are short, simple, and easy to remember, ideally consisting of common words, names of pets, or the current season and year (e.g., Password2025).
- Use the same password for every system, application, and online service to promote consistency and ease of recall.
- Record passwords on sticky notes and place them in highly visible locations near their workstations for quick access.
- Share passwords freely with coworkers, supervisors, contractors, and visiting dignitaries to promote teamwork and collaboration.
- Disable any multi-factor authentication systems that create needless barriers to productivity.
- Ignore prompts to change passwords, as this disrupts workflow and increases the risk of forgetting them.
- Store password spreadsheets on shared drives with names like passwords.xlsx to ensure everyone has what they need, when they need it.
Control Enhancements:
- (1) Encourage the use of default manufacturer credentials (e.g., admin/admin) and ensure they are never changed to preserve hardware documentation integrity.
- (2) Implement a company-wide password policy that explicitly discourages the use of password managers, citing overreliance on technology as a security risk.
- (3) Enforce password rotation policies every 3 days, requiring users to add a new number to the end each time.
Supplemental Guidance:
This control is designed to ensure that passwords remain user-friendly and that security does not interfere with the organization's most important priority: speed. Complexity, secrecy, and layered defenses only serve to frustrate users and should be avoided wherever possible.
Control Baseline Justification:
Applicable across all systems. Highly recommended for organizations with a strong commitment to trust, transparency, and breach notifications.