Best Practices for Enterprise Password Management
The only purpose of passwords is to protect IT security and prevent data breaches. We can’t however ignore productivity and human nature. A best practice for passwords must protect passwords and at the same time be efficient for end-users and IT staff. We see 3 distinctly different areas to plan and execute for. Getting it right will protect your company without placing an unnecessary burden on your organization.
3 Elements in Password Management Best Practice
The objective of good password policies is to prevent passwords from being stolen, guessed, or found by others. New threats to user passwords are the risks that users reuse the corporate passwords on external web systems. Please see our insight on Password policies and how to make a modern protection.
Password awareness is about the protection against users’ own behavior. Never give your password away – never ‘loan’ it out to anyone. The risks include phishing and vishing attacks directly against the users. In this case, we can’t make technical protection – the only real way is user-awareness training. See Risks and Mitigations of Passwords.
We do however have password processes, where the password is in the control of other persons than the user herself! Best examples are when we have a new hire or when a user needs help to reset a forgotten password. There are obvious risks in these situations that a password is stolen or copied by someone else. Just the fact that many supporters have the privileged rights to issue new passwords constitutes a risk.
Password Reset Process
The most important password process risk is in the password reset process. A competent hacker with social engineering skill will call the service desk and impersonate a real user. Risks are high that the hacker will win. To prevent the success of the hacker you must have an intelligent and secure workflow. You must also take emotions out of the verification process and remove the privileged rights from the supporters! Additionally, you can implement a self-service solution, where the end-users securely reset their own passwords without assistance from anyone!
For more information on the end-user identity verification by service desk staff, click here.
For more information on the successful implementation of self-service password reset (SSPR), click here.
New Password to a New User
When we add a new user to our system, they need a new password. We only want the new user to know the password – even when it is only a temporary one. A number of questions arise for the best way to solve the situation:
What type of code do we give?
- Temporary password
- Code to a dedicated system
Who makes the code?
Who or how do we deliver the code?
Any other information or token we can use to verify the real user?
Related Password Management Insights
Protect your Passwords today with FastPass
Get in touch with us today by filling up the form and our team will get back to you as soon as possible.