Organizations implement a password policy to help users protect their passwords against misuse by others. These policies, however, have become increasingly demanding for the users. In September 2015, the UK cyber-security organization CESG brought a fresh attitude to password policy advice:
‘By simplifying your organisation’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.’
The different methods for strengthening passwords include:
Despite these sensible measures, CESG advocates a simpler approach in a new guide, Password Guidance:(https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf).
The advice aligns with that given by the US organization NIST in AGuide to Password Management from 2009.
Both organisations recommend making users responsible for password security while acknowledging the natural limitations of human users. When the password policies become too demanding many users will defend themselves with their own ways to cope, as using sticky notes :
But does a password policy decision have to be EITHER/OR? Why not BOTH/AND?
When confronted with ambitious cyber-security policies, some users protect themselves from forgetting a password by writing it on sticky notes easily visible to colleagues.
However, a good password self-service eliminates the concern that prompts such counterproductive measures by allowing users to reset the password without contacting the service desk. Developing users’ confidence they can ‘self-service’ successfully is vital. Please see our ‘5 steps to password self-service success.’
Our experience leads us to conclude that you can have strong password policies and, at the same time, have users respect the privacy of their passwords – as long as a good password self-service tool is available.
In some situations – like access from external networks – or for some users with access to criticval…
In some situations – like access from external networks – or for some users with access to criticval systems, we will require strong authentication.
Strong authentication is also called 2-factor authentication, as it must combine 2 authentication methods of the standard 3 types:
Strong authentication is actually easy to implement in passwords self-service systems.
All FastPass products have user’s free choice of authentication, 2-factor authentication and advanced logging and reporting.Help me choose
More info: Password security and compliance
We made a survey with many members from LinkedIn ITSMF groups. We asked 5 questions: How do you aut…
We made a survey with many members from LinkedIn ITSMF groups.
We asked 5 questions:
You can see the answers in this post LinkedInHelp me choose
More info: Self-service password issues
With self-service of passwords it is possible for organizations with the modern solutions to make …
With self-service of passwords it is possible for organizations with the modern solutions to make authentication methods fit with the realities of users, where different users must have different but still secure authentication. It is even possible to have users select the authentication method in the forgotten password situation!
With good logging it is furthermore possible to monitor exactly how users authenticate.Help me choose
More info: Password
We found that FastPass was the only solution in the marketplace with the capability to deliver a fully-fledged solution that we could use for all of our customers. A solution is only good once deployed and we see that the new service based on FastPass is highly popular among our customers. We tested several products in the market and found that the FastPass product stood out clearly as the best product thanks to the easy implementation, single point of management and rich feature set. FastPass supports our strategy of the very best customer experience regardless of the time of day, says Per Werngren, CEO at IDE.
"The Portuguese Parliament was looking for a self-service password reset/unlock solution. We surveyed the market, and found some expensive and complex solutions. Then we discovered FastPass, which seemed to address all our requirements. We did a pilot installation, and were very pleased by the ease of use for both the administrator and the final user interface. We were even more pleased with the low cost for such a complete product. After we acquired the product, installation was a breeze and FastPass support helped us promptly in all our issues and questions. We had the product in full production in about one week after installation and initial testing. Now our users have a simple method to unlock/reset their passwords without contacting helpdesk, at any time of day or night and from everywhere they have Internet access."
Varde City Council needed to improve service for end-users working outside normal business hours, and wanted at the same time to reduce number of calls to the internal IT department. With more than 100 password related calls each month, Varde decided for FastPass to give users self-service for passwords. Varde has two priomary passwords : Windows/AD and an extermnal password from an IBM mainframe (KMD). With FastPass users now have self-service when a password is forgotten or lost. Within less than 3 months more than 80-85% of calls are now handled by users. See the comments from Lea Dragsbæk
Sonoco realized the need to reduce Help Desk expenses and quickly identified password resets as a target call volume. Sonoco had already made a large investment in their identity and access management infrastructure and they wished to capitalize on that with minimal additional investment. Sonoco and Logic Trends collectively identified FastPass’s Password Manager product due to the low licensing cost, low maintenance effort and strong integration with the Microsoft infrastructure.
Faced with a compliancy requirement from our US parent company, we surveyed the market for a tool that would help us to come into line with section 404 of the Sarbannes-Oxley Act, which requires our users to authenticate themselves to the environment and have the ability to manage their own passwords.
Exactly 21 days before the compliance date we found FastPass Password Manager with a connector to our AS/400 environment.
IT Intergroup worked with us to get the FastPass solution in place and we were compliant a week ahead of schedule. All our users are now able to authenticate and resset passwords from a simple browser interface
In the spring 2009 Tulsa Public Schools decided to implement FastPass Password Manager from FastPassCorp. IT-manager Kirk Damron says: "We needed to reduce the load on our Help Desk from numerous calls related to forgotten passwords". With 8000 employees and teachers and increasing complexities in passwords, the ‘forgotten password’ workload was significant.
Kirk Damron adds: "We needed a solution which was easy to implement and administrate, and easy to use for the end-users. FastPass has proved to be just that!"
Installation and implementation was done in just one day, and the continued roll-out to users has been effortless.