What is password management?

1. Using password as single or 2-factor authentication?
2. Defining password policies
3. Creating user-awareness
4. End-user self-service of passwords
5. Secure facilitated process at the service desk

Large and respected companies have recently announced data breaches. This because of It-crime in different forms. Boards and executives put the spotlight on IT-management asking: “Can this happen to us?” and “How do you prevent, that it happens to us?!!” According to Gartner IT-security expenditure rose by 16% in 2016. When IT-security gets in focus, so do passwords as the most basic component of IT-security.

We believe this is the reason for the increasing interest for enterprise password management. In our meetings with senior IT management we find an interest to get a simple overview and understanding of risks and mitigations related to password challenges. We decided to make a short and hopefully easily read document on enterprise password management. It is intended for IT-people involved in decisions and processes related to the use of corporate passwords.

Our intention is to have a pragmatic and operational document. It is not a scientific or research based document for universities! Please forward any suggestions for improvements to us for future versions.

Purpose of passwords:

We have used passwords since ancient times. When a citizen in the dark night came back to the city gate he identified himself: “Hi this Joe the Miller”. Now the guards knew Joe the Miller, but should still ask: “Give us the password”. Joe would answer “The moon is blue tonight” and the guards would know that this is the true Joe the Miller and open the gate!

Passwords are used for the same in modern IT-systems: To establish trust to an identity.

We make living persons responsible for the actions made by their user-id in the IT-system. Hence, we must make sure that it only can be the right person who has access to his account. More generic we talk about the authentication process, where password is one option.

In the ideal world then that would be it! Unfortunately, as the use of passwords exploded to be used by practically everyone, many problems and risks became visible. Professional IT-departments then have to counteract these threats. The actions and decisions necessary to handle and protect passwords make up Password Management. As this primarily have been an issue for large organizations it is often referred to as Enterprise Password Management, to distinguish it from the personal issues with managing all our new passwords for WEB-services!

Problems

There are various problems inherent with passwords:

Users give them away

Even Edward Snowden at the NSA said that people were sharing passwords.  Employees are supposed to be trained not to share passwords, but they do anyway.   Nick Leeson from Barrings Bank in Singapore got access to colleagues’ accounts and passwords to confirm his transactions himself – no need for others to bother! Password expirations might help to reduce the problem in these situations.

Intruders “steal” them

Intruders might use different tools to steal a password from the user repository or in transmission. With Windows and AD based systems this is not easy at all, but other systems might be more forgiving! Beyond that, the #1 problem is users, despite security awareness training, still get tricked by email phishing into entering their passwords into hacker sites. Those are mocked up to look like something the user knows and trusts. It is claimed this is how the Democratic Party in US during election campaign in 2016 got hacked.

Users forget them

Today we all have lots of passwords to remember and as humans we will sometimes forget. If your password is complicated too and changes with short intervals, you will forget it! Our rule of thumb for an enterprise with standard password policy is, that there is approximately 1 password call per user per year. This means cost for the company. Calculating the full cost including user and IT-department analysts estimate to be between 15$ and 100$ per password call.

Third persons (service desks) handle them

When the user has an enterprise password problem they contact the service desk for help (unless a self-service solution is available). The service desk analyst then has tools to create new passwords. This is often a temporary password the user is forced to change immediately, and then the service desk doesn’t know the ‘real’ password. The problem is however, that the service desk analyst deliberately or by accident gives the password to a ‘wrong’ person, and the user has very little chance of ever knowing it happened.

As can be seen the problems of passwords are security and productivity. Both problems are important to counteract, but most will agree that security issues are urgent.

How can we solve the problems?

The question is what to do with the password problems. Instead of getting rid of passwords it might be easier and more realistic to look for mitigation strategies. For each of the password problems we have in this table listed the most effective mitigation strategies:

Authentication

The first step in any password management process should be the definition of security demands for different user groups relative to different applications / systems.

Some user groups may only have access to insensitive data and a simple authentication is fine. Other groups may have access to applications where you can transfer millions of dollars, and you will require very strong authentication to give access. When users are at company premises it might be OK to use single factor authentication; but when the same users access from external net you require 2-factor authentication.

The ability to control authentication for different groups in different situations must reflect the features of sign-on for the different systems and applications. Many new authentication methods come forward now including Google and Microsoft Authenticators and some are based on the FIDO model described by the FIDO consortium.

Within the financial limits and security requirements the decisions can be made to balance cost and risks when authentication choices are made for users and applications. Passwords will most likely continue to be part of the authentication process. In particular as one factor in a multi-factor authentication or a single factor where only insensitive data can be reached.

Security awareness

Education and continuous awareness program to employees.

• What are the risks for you and your company if we don’t follow the security guidelines?
• What are the company guidelines?
• How can I follow the guidelines?

Password Policies

How do we help the users protect their passwords? Password Policies define the corporate requirements for complexity and expiration. Some of the parameters are:

• Length: minimum and maximum
• Complexity of characters
• History (different from earlier versions of the password)
• Forbidden words, can be based on dictionaries of negative passwords

Technology

IT-infrastructure professionals are responsible for the technical protection of passwords. This covers storage of passwords in user repositories like Active Directories, where encryption and hashing is used making reversal of passwords practically impossible (This mean for example that “Give me my password back” is impossible because no-one can get the real password!)

Encryption of the password in transmission is important.

Additionally, we have many different technologies available to prevent that users are attacked by malware or phishing schemes with the purpose to “steal” the user’s password.

Processes

The primary process related to passwords is the password reset process for forgotten or locked passwords. The standard manual process is risky and takes time = costs money!

Gartner calls the process in the service desk: ‘The Facilitated Password Reset Process’. Many service desks have no management defined process for this service, and many others have a weak process. This obviously means high risks for impersonations from persons who want access from other users’ accounts through a stolen password. Furthermore, monitoring of a manual process is difficult. It also requires that the service desk analysts have privileged passwords further adding to the risk.

IT-based solutions are available:

Self-service password reset (SSPR)

Users can in a secure way reset and unlock passwords through self-service solutions. SSPR gives end-users faster resolution than waiting for the service desk and is available 24*7. As a result, the service desk will see a reduction in the total number of calls, helping to boost productivity.

It is important to be aware of the adoption rate for the solution. Some implementations end-up with as little as 10-40% of users using self-service and the remaining users call the service desk. Even in the best SSPR implementations you must expect that some users will need the service desk.

Ways to improve adoption or success rate relates to:

• the enrolment process
• accessibility from all types of devices and places (including a locked workstation!)
• a high degree of flexibility in the authentication process.

Facilitated Password Reset (FPR)

Facilitated means that the process involves human assistance. Then risks and deviations follow unless the service desk analysts are supported or even controlled by an IT-solution. To make the facilitated service desk process compliant and secure the analysts must follow management decided steps before a new password is issued. The service desk analysts will be taken through an authorized end-user authentication and then enabling the user to make a new password. The process is commensurate for each user group to balance risk and cost.

The big challenge is user authentication. In a completely manual process the service desk might use a call back to users’ phones. If there is a SSPR system then the user wouldn’t have to call the service desk if he can receive a SMS-code on his phone! Users calling the service desk have multiple authentication problems, or they would have done self-service. Authentication should then, in addition to standard methods as asking questions, have dynamic data related to unique and fresh knowledge about the user. Dynamic and contextual data will be extremely difficult for attackers to obtain.

Furthermore, for very ‘important’ user groups it must be possible to demand personal vouching from other users. This is often referred to as the manager approval model. Basic principles for an FPR solution are:

• Management decided work-flow
• Configurable per user-group
• Multiple authentication options
• Information used for authentication must include dynamic and contextual data
• Manager approval of users must be an option
• Remove privileged passwords from the service desk analysts