Importance of Password Policy and Password Security Risks
Mitigation of Data Breach through Self-Service and Authentication
Passwords are by far the most frequently used method for user authentication.
Password authentication is fast and cheap, and password authentication is standard for practically all IT systems and applications.
It is therefore of vital importance that passwords and processes around passwords are secure. IT security officers see a number of threats to IT security through the misuse of passwords. Mitigation against these threats can often lead to cumbersome and expensive processes, in contrast with the original idea of passwords as a fast and cheap authentication method. Modern self-service tools such as FastPass, on the other hand, offer technology which improves security and reduces the total cost of the password processes!
What is the original reason for the use of passwords? It was and still is, to tie a ‘real’ person to a user-id, which is the only identification an IT-system can use. As a password is supposed to be personal and secret, then only the ‘real’ person can activate their own user-id. With this user-id, we can then make a person responsible for the actions of their user-id.
This, however, requires that the password is personal and secret. To achieve this and prevent misuse of passwords more and more demands have been put on the password policies and the processes around passwords. The user gets longer and more complex passwords and frequent changes to passwords, which also have to be different from previous passwords! Of a more technical nature is the requirement for encryption during transmission and storage. The processes concerning the rendering and resetting of forgotten passwords also have to be very rigid when it comes to authentication of the receiver of the new password and the transportation of the password to the user.
The more security we want to build into the process the more expensive it usually gets.
These challenges of security and costs should lead to a review of the challenges and possible mitigation available for modern IT departments.
Inspiration can be found in the document: Special Publication 800-118 (Draft); Guide to Enterprise Password Management (Draft); Recommendations of the National Institute of Standards and Technology.
Mitigation and consequences for passwords
In well run IT operations you will see users be required to have a very complex password with frequent changes. Many users will even have many different passwords to remember, which complicates life even more. As a result of this, some users help themselves by noting passwords on yellow stickers to be sure they can sign-on without delay!
An overview of the challenges with passwords and the potential result of weak links are listed in the table below. We have also listed some possible mitigation tactics, and their potential consequences.
As seen in the above table the mitigation tactics often lead to new challenges and the problems just kind of rotate! What is needed is a complete change to some of the basic processes around passwords.
The basic problem is that complex passwords mean that users forget passwords. Then the users either write on sticky notes or call the service desk, which is embarrassing and costly.
Self-service of passwords will, however, solve practically all the challenges!
Password policy revisited: Have password policies done more harm than good?
Making broken passwords irrelevant by changing passwords frequently.
Not reusing a broken password.
Avoiding a pattern when creating passwords; otherwise, anyone who knows one password will be able to predict the next one.
Mixing characters of different types and having long passwords – making it difficult to crack a password by technical measures.