Risks and Mitigation of Passwords
Challenges and solutions to corporate use of passwords
What is the original reason for the use of passwords? It was and still is, to tie a ‘real’ person to a user-id, which is the only identification an IT-system can use. As a password is supposed to be personal and secret, then only the ‘real’ person can activate their own user-id. With this user-id, we can then make a person responsible for the actions of their user-id.
This, however, requires that the password is personal and secret. To achieve this and prevent misuse of passwords more and more demands have been put on the password policies and the processes around passwords. The user gets longer and more complex passwords and frequent changes to passwords, which also have to be different from previous passwords! Of a more technical nature is the requirement for encryption during transmission and storage. The processes concerning the rendering and resetting of forgotten passwords also have to be very rigid when it comes to authentication of the receiver of the new password and the transportation of the password to the user.
The more security we want to build into the process the more expensive it usually gets.
These challenges of security and costs should lead to a review of the challenges and possible mitigation available for modern IT departments.
Inspiration can be found in the document: Special Publication 800-118 (Draft); Guide to Enterprise Password Management (Draft); Recommendations of the National Institute of Standards and Technology.
Mitigation and consequences for passwords
In well run IT operations you will see users be required to have a very complex password with frequent changes. Many users will even have many different passwords to remember, which complicates life even more. As a result of this, some users help themselves by noting passwords on yellow stickers to be sure they can sign-on without delay!
An overview of the challenges with passwords and the potential result of weak links are listed in the table below. We have also listed some possible mitigation tactics, and their potential consequences.
As seen in the above table the mitigation tactics often lead to new challenges and the problems just kind of rotate!
What is needed is a complete change to some of the basic processes around passwords.
The basic problem is that complex passwords mean that users forget passwords. Then the users either write on sticky notes or call the service desk, which is embarrassing and costly.
Self-service of passwords will, however, solve practically all the challenges!