Importance of Password Policy and Password Security Risks
Mitigation of Data Breach through Self-Service and Account Authentication
Passwords are by far the most frequently used method for user authentication.
Password authentication is fast and cheap, and password authentication is standard for practically all IT systems and applications.
It is therefore of vital importance that passwords and processes around passwords are secure. IT security officers see a number of threats to IT security through the misuse of passwords. Mitigation against these threats can often lead to cumbersome and expensive processes, in contrast with the original idea of passwords as a fast and cheap authentication method. Modern self-service tools such as FastPass, on the other hand, offer technology that improves security and reduces the total cost of the password processes!
IT security policies must control who is allowed to access specific information.
To enforce such a policy, it is important that the IT system and processes are secure and that users are correctly identified and authorized. A strong password is still the primary key for authentication. It is crucial that passwords effectively secure the authentication of the correct person to avoid compromised data due to hackers. Of course, this also has to be done at the lowest possible total cost.
This section describes the challenges and solutions for the use of a password, from a security and economic point of view.
Password Policies
What is the original reason for the use of strong passwords? It was and still is, to tie a ‘real’ person to a user-id, which is the only identification an IT-system can use. A password is supposed to be personal and secret, then only the ‘real’ person can activate their own user-id. With this user-id, we can then make a person responsible for the actions of their user-id.
This, however, requires that the password is personal and secret. To achieve this and prevent misuse of passwords more and more demands have been put on the password policies and the processes around passwords. The user gets longer and more complex passwords and frequent changes to passwords, which also have to be different from previous passwords of a more technical nature is the requirement for encryption during transmission and storage. The processes concerning the rendering and resetting of forgotten passwords also have to be very rigid when it comes to authentication of the receiver of the new password and the transportation of the password to the user.
These challenges of security and costs should lead to a review of the challenges and possible mitigation available for modern IT departments.
Inspiration can be found in the document: Special Publication 800-118 (Draft); Guide to Enterprise Password Management (Draft); Recommendations of the National Institute of Standards and Technology.
The more security we want to build into the process the more expensive it usually gets.
Contact FastPassCorp to discuss solutions to your situation
FastPass V4 - Secure Enterprise Passwords
FastPass V4 brings comprehensive password protection to secure organizations. Making passwords complex, avoiding the use of dictionary passwords and popular phrases as part of the password, changing the password regularly, and protecting the password processes will make your organization unattractive to hackers.
Mitigation and consequences for passwords
In well-run IT business operations you will see users be required to have a very complex password with frequent changes. Many users will even have many different passwords to remember, which complicates life even more. As a result of this, some users help themselves by noting passwords on yellow stickers to be sure they can sign-on without delay!
An overview of the challenges with passwords and the potential result of weak links are listed in the table below. We have also listed some possible mitigation tactics, and their potential consequences.
- Password guessing
- Password sniffing/cracking
- 2nd person involved in password issuance and password reset
- Forgotten passwords
- Sticky notes!
- A stolen password can be reused without the user knowing
- Security breach
- Security breach
- Security breach, Productivity loss
- Productivity loss
- Security breach
- Security breach
- Long and complex passwords. Lock the account after a limited number of retries
- Encryption & secure communication
- The strict control of people and processes. Self-service password reset
- Simple passwords with no change and history!
- Simple passwords with no change and history!
- Inform of the last login Notification of logins
- Users forget or write on sticky notes
- Cost
- Outsourcing to some countries might carry risks!
- ‘Broken’ password confidentiality
- ‘Broken’ password confidentiality
- Cost to change application
As seen in the above table the mitigation tactics often lead to new challenges and the problems just kind of rotate! What is needed is a complete change to some of the basic processes around passwords.
The basic problem is that complex passwords mean that users forget passwords. Then the users either write on sticky notes or call the service desk, which is embarrassing and costly. Self-service of passwords will, however, solve practically all the challenges!
Why Passwords Are OK and how to create policies for strong passwords
Password policy revisited: Have password policies done more harm than good?
Management of Organizations implements a password policy to help users protect their passwords against misuse by others. These policies, however, have become increasingly demanding for the users. In September 2015, the UK cyber-security organization CESG brought a fresh attitude to password policy advice:
“ By simplifying your organization’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.”
The different methods for strengthening passwords include:
Making broken passwords irrelevant by changing passwords frequently.
Not reusing a broken password.
Avoiding a pattern when creating passwords; otherwise, anyone who knows one password will be able to predict the next one.
Mixing characters of different types and having long passwords – making it difficult to crack a password by technical measures.
Both organizations recommend making users responsible for password security while acknowledging the natural limitations of human users. When the password policies become too demanding many users will defend themselves with their own ways to cope, as using sticky notes, or trying to invent their own password rules, actually reducing the secrecy of their passwords.
When confronted with ambitious cyber-security policies, some users protect themselves from forgetting a password by writing it on sticky notes easily visible to colleagues.
However, a good password self-service eliminates the concern that prompts such counterproductive measures by allowing users to reset the password without contacting the service desk.
Our experience leads us to conclude that you can have strong password policies and, at the same time, have users respect the privacy of their passwords – as long as a good password self-service tool is available.
But does a password policy decision have to be EITHER/OR? Why not BOTH/AND?