A COMPLIANT PASSWORD CONCEPT

63% of data breaches are caused by password problems

Password protection

According to an IDC whitepaper 63% of data breaches are caused by password problems –Get your copy. This proves a strong need for compliant password processes!

What is meant by a compliant password process?

Large companies must have processes and technologies related to passwords, which maximizes the protection of users’ IT-accounts. A good protection must include strong answers in three areas:

  • Password policies
  • Technical protection
  • Password processes

Although it is the user’s responsibility to protect his password, it is the organization’s responsibility to set up processes which helps the user protect the password, and to avoid that others can get the password or can get a new password to the user’s account.

Privileged users are the risk factor

https://youtu.be/JFZnY54NmDo

Password processes

The ideal situation is that only the user ever touches his own password. There are however at least two situations where a user needs external assistance:

  • When he is hired or gets access to new systems. Somehow a new password must be made and be delivered to the user
  • If he forgets the password, then he must somehow get a new password.

Password protection

Technical protection

The basic concept for technical protection is to prevent others from reading and understanding the user’s password, when it is in the IT system.

The primary methods are:

  • Encryption of password when it is stored.
  • Encryption of data when in transport
  • Firewalls/DMZ’s to prevent externals to get in
  • Prevent malware and key-lockers to be installed

Password Policies

Password policies are made to help users protect their passwords. The risks are that someone tries to get our password, so they can impersonate us, and read and send from my e-mail. Examples are that someone looks over the shoulder and tries to catch the password. Others might have tapped it someday (perhaps from a sticky note) and then continues to use it. If we use month or year in the password it is not difficult to guess future passwords. This has led to the development of password policies; of which these are the most standard:

  • At least XX characters with complex structure
  • History: Must be difficult from the last XX times
  • Internal logic: Must not have logic elements repeating

Many users find them annoying, but they are made to protect the user and his account. What is annoying is to call a service desk and demonstrate that you can’t remember your password. A gentle way to circumvent this is to give users a self-service solution. It is fast and you don’t need to tell anyone you can’t remember your password!

See the IDC blog on GDPR and password security

Password processes

In both situations the majority of companies have a manual process where a privileged user makes and delivers a new password. This opens up for an additional risk:

Can the privileged users make and give passwords to a “wrong” user? The answer is yes in most cases.

It is obvious that organizations must put as much effort into password processes as are put into password policies and password security technologies. Basic principles for solutions must be that the process is defined by management! Furthermore the process must be registered to be available for monitoring.

Management must decide exactly what information the service desk agent must have available to make a positive authentication of a user. The process can be different for different user groups. Users with access only to simple data might have a light process, where users with access to critical systems must have a 2-person authentication process. The complete process must be controlled by the password reset IT solution. If the service desk agents only have a manual process in place the monitoring gets extremely challenging! The basic principles are:

  • A password reset process is defined by management
  • 2-person authentication is integrated for users with access to sensitive systems
  • Users must be able to reset the password themselves through re-enrollment  to a self-service portal
  • Privileged users (service desk supporters) should not have access to standard tools (Windows) for password reset

IDC has in its Technology Spotlight: “Password Management and GDPR Compliance: Lowering Risk Through State-of-the-Art Assisted Password Reset” analysed the issues and made some recommendations. The FastPass vision and concept for password compliance can be found here 

Testimonials

”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

 

 

FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager

 

...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery

 

… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT

 

We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls

 

Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers

SAP

 

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

 IT Technical Lead & Coordinator

 

Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems

 

North America T: +1 (212) 419-4921

Europe T: + 45 4810 0410

E: info@fastpasscorp.com

FastPassCorp A/S 1350 Avenue of the Americas, 2nd Floor, New York, NY 10019, USA FastPassCorp A/S Lyngby Hovedgade 98Kgs. Lyngby, DK 2800 Denmark

© FastPassCorp A/S. All Rights Reserved.