A few problems
I'm as irritated by bad passwords as the next security person, but let's revisit a few parts of this article:
"An employee is likely using the same password for your internal systems as they are for Instagram."
How am I supposed to know that? Yes, they'd be prevented from using "password", but when they've decided in their life that "F9zna/zv00w" passes all the tests for passwords and they'll just use that for everything, the only way I'd know is if I tried to log in with that and any usernames or addresses I can guess. That's not all that nice. Of course, they can be told not to reuse passwords, but that won't necessarily stop them.
"According to OneLogin, 63 per cent of network administrators don’t require special characters or minimum length passwords. Numbers? 71 per cent don't require it. Upper and lowercase? 72 per cent."
That's a good po... Interesting fig... Well, you just quo...
Sorry, I can't pretend. I have no idea what these numbers mean. You tell me that 63% of admins don't require certain rules, which already sounds kind of weird, but then your next sentence says that 71% don't require it. Is "it" the same thing as covered in the last sentence? Why are the percentages eight percentage points different? Is this from a different source? Who? And the 72% don't require multiple cases? Meaning that either 29% or 37% require special characters but only 28% require multiple cases? And earlier, you told me that 75% of admins "don’t check employee passwords against password complexity algorithms." This implies that they don't check at all, but, in that case, a maximum of 25%, not 28%, 29%, or 37%, could require special characters or multiple cases. So I must be making some really stupid mistake, right? Please tell me what it is.
"And an amazing 63 per cent have not put password rotation policies in place. What are you doing people?"
Holding back my astonishment that, by these and previous numbers, at least 12% of admins rotate passwords but don't check them against any complexity algorithms at all, we don't rotate passwords all that frequently because it means users will respond by decreasing the security of their passwords so frequent rememorization is easier. Yes, we have complexity rules here. But once you've met those limits, you can have a more secure or less secure password. If we make them choose a new one every month, the number of users using a very strong password approaches zero. This isn't new. This has been the recommendation of many security advisors for the past few years. It has been reported here. That's what we're doing.
For the record, my complexity recommendation is designed to maximize entropy. If you go for a short password (minimum length 10 characters or 12 if I'm nervous, the system's important, or the users are willing to be reasonable), you have to use all four types of characters. If you make the password longer, the requirement for different characters is removed as the length increases. And passwords are checked against password lists.