Risks and Mitigation of PasswordsChallenges and solutions to corporate use of passwords
Passwords are by far the most frequently used method for user authentication. Password authentication is fast and cheap, and password authentication is standard for practically all IT systems and applications.
It is therefore of vital importance that passwords and processes around passwords are secure. IT security officers see a number of threats to IT security through the misuse of passwords. Mitigation against these threats can often lead to cumbersome and expensive processes, in contrast with the original idea of passwords as a fast and cheap authentication method. Modern self-service tools such as FastPass, on the other hand, offer technology which improves security and reduces the total cost of the password processes!
IT security policies must control who are allowed to access specific information. To enforce such a policy, it is of vital importance that the IT system and processes are secure, and that users are correctly identified and authorized. Passwords are still the primary key for authentication! It is therefore crucial that passwords effectively secure the authentication of the correct person. Of course this also has to be done at the lowest possible total cost!
This section describes the challenges and solutions for the use of a password, from a security and economic point of view.
What is the original reason for the use of passwords? It was, and still is, to tie a ‘real’ person to a user-id, which is the only identification an IT-system can use. As a password is supposed to be personal and secret, then only the ‘real’ person can activate their own user-id. With this user-id we can then make a person responsible for the actions of their user-id.
This, however, requires that the password is personal and secret. To achieve this and prevent misuse of passwords more and more demands have been put on the password policies and the processes around passwords. The user gets longer and more complex passwords and frequent changes to passwords, which also have to be different from previous passwords! Of a more technical nature is the requirement for encryption during transmission and storage. The processes concerning the rendering and resetting of forgotten passwords also have to be very rigid when it comes to authentication of the receiver of the new password and the transportation of the password to the user.
The more security we want to build into the process the more expensive it usually gets.
These challenges of security and costs should lead to a review of the challenges and possible mitigation available for modern IT departments.
Inspiration can be found in the document: Special Publication 800-118 (Draft); Guide to Enterprise Password Management (Draft); Recommendations of the National Institute of Standards and Technology.
Password policy revisited
Have password policies done more harm than good?
Organizations implement a password policy to help users protect their passwords against misuse by others. These policies, however, have become increasingly demanding for the users. In September 2015, the UK cyber-security organization CESG brought a fresh attitude to password policy advice:
‘By simplifying your organisation’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.’
The different methods for strengthening passwords include:
- Making broken passwords irrelevant by changing passwords frequently.
- Not reusing a broken password.
- Avoiding a pattern when creating passwords; otherwise, anyone who knows one password will be able to predict the next one.
- Mixing characters of different types and having long passwords – making it difficult to crack a password by technical measures.
Despite these sensible measures, CESG advocates a simpler approach in a new guide, Password Guidance:(https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf).
The advice aligns with that given by the US organization NIST in AGuide to Password Management from 2009.
Both organisations recommend making users responsible for password security while acknowledging the natural limitations of human users. When the password policies become too demanding many users will defend themselves with their own ways to cope, as using sticky notes, or trying to invent their own password rules, actually reducing the secrecy of their passwords.
But does a password policy decision have to be EITHER/OR? Why not BOTH/AND?
When confronted with ambitious cyber-security policies, some users protect themselves from forgetting a password by writing it on sticky notes easily visible to colleagues.
However, a good password self-service eliminates the concern that prompts such counterproductive measures by allowing users to reset the password without contacting the service desk.
Our experience leads us to conclude that you can have strong password policies and, at the same time, have users respect the privacy of their passwords – as long as a good password self-service tool is available.
Mitigation and consequences for passwords
In well run IT operations you will see users be required to have a very complex password with frequent changes. Many users will even have many different passwords to remember, which complicates life even more. As a result of this, some users help themselves by noting passwords on yellow stickers to be sure they can sign-on without delay!
An overview of the challenges with passwords and potential result of weak links are listed in the table below. We have also listed some possible mitigation tactics, and their potential consequences.
As seen in the above table the mitigation tactics often lead to new challenges and the problems just kind of rotate!
What is needed is a complete change to some of the basic processes around passwords.
The basic problem is that complex passwords mean that users forget passwords. Then the users either write on sticky notes or call the service desk, which is embarrassing and costly.
Self-service of passwords will however solve practically all the challenges!
North America T: +1 (212) 419-4921
Europe T: + 45 4810 0410
FastPassCorp A/S 1350 Avenue of the Americas, 2nd Floor, New York, NY 10019, USA FastPassCorp A/S Lyngby Hovedgade 98Kgs. Lyngby, DK 2800 Denmark
© FastPassCorp A/S. All Rights Reserved.