This one is geared to all you IT professionals out there who
are looking to create a strong, effective, and simple to manage password
policy. We’ve talked
before about password
best practices, and what not to do.
If you want some more information on that particular subject, check out some
of the information provided by the security experts over at PortalGuard. Today, however, we’re going to look at the
password policy in some more detail to figure out what password management best
practices are the most effective in actual use.
Why Password Management Best Practices need to be considered
Hackers today are extremely creative. In the same way that we use our smartphones
and various programs to streamline our work, there are a whole host of programs
and applications that make
a hacker’s job easier. That article is from over a year ago, and the list
has only increased since then! Cracking a password is not something that needs
to be done by manually entering each guess, or by waiting until the time-out
period has expired to try again. Now,
hackers can try hundreds upon hundreds of passwords to an account in minutes,
all while sitting back and enjoying a nice cup of coffee.
Think about it. Just
about everyone has a list of passwords that they need to remember that is so
long, you’d need to start busting out toes just to keep track of them! Don’t
believe me? The good people over at SOPHOS
have figured out that the average person in 2014 had 19 passwords, and a third
of those people use weak ones! Clearly, password management best practices
aren’t a priority for those individuals! Even if you aren’t one of those
particular individuals, you probably have enough passwords to make you
occasionally type in the wrong one for any given site. That is just the way of
the world we live in today. It’s a
nightmare, sometimes, but it helps keep us safe and secure in our businesses
and private lives as well.
At least, that’s the idea.
There’s an old quote out there from a pretty neat book
called A Wrinkle in Time, that
addresses this kind of issue, albeit indirectly; “…security is a most seductive
thing…it’s the greatest evil there is.” The intent that L’Engle had with this
statement was to draw attention to the manipulative effect that some individuals
are able to use our notions of security.
I’m not talking about governments or secret societies here (although, the
Snowden interviews give credence to this idea), but rather the effect that
security can have on the behavior of individuals.
Security, Illusion, and Selective Amnesia
That’s a beautiful heading, isn’t it? Everything you would expect in a discussion
of hackers, security, and what people will do to feel safer in the digital
world. That’s really what it all boils
down to in the end, however. A simple
idea, often forgotten or simply overlooked:
Expectations.
As end users or professionals, we have certain levels of
expectation with our safety online. We
expect an antivirus program to catch everything that is thrown at our machines
(when the reality is much,
much different). We expect an HTTPS
web address to be nigh impregnable in terms of our credit card and purchase
information (despite digital data breaches being at an all-time
high). We even expect that paying for an application or program to protect
us will cover our own missteps and failures of the human factor.
We expect so much, and we hate to be told that we were
wrong. That results failed to step up to
our expectations.
So how can we remedy this?
We update our expectations by educating ourselves on the best possible
way of navigating the treacherous fields of the World Wide Web.
Best Practices for Password Management
There is a pretty in-depth article hanging out over at Hitachi
ID Systems for password management best practices, for those of us who are
willing to slog through pages of technical and mathematical terminology. For everyone else, I’ll sum up the most
reasonable key points, and offer some insight of my own.
Password Policy Structure
One of the biggest advantages that IT professionals have
against hackers is in the creation of the Password Policy. A strong password policy is the first line of
defense against any real threat. It
ensures a user is creating a strong, difficult to guess or break password,
while simultaneously thwarting infiltrators from gaining access. Here are a few things to consider when
constructing your password policy:
- Balance Ease of Use with Effectiveness
- Think about how simple the password policy will be on your end users. A difficult policy will often be either ignored, or will convince users to find ways around restrictions: effectively negating the security provided
- Create strong password complexity rules
- A strong password will combine special characters, a length of more than seven characters, both upper and lowercase letters as well as numbers.
- Dictionary words will be prohibited
- Lockout Policy
- A strong lockout policy will help notify administrators of lockout, without inconveniencing the end user who is legitimately attempting to access their account.
- Try something simple like 10 incorrect attempts in five minutes, and the lockout period is only for 10 to 15 minutes. This cuts down on IT support calls, and only prevents the legitimate user from accessing their account for a short period
- Implement a strong change and reuse requirement for passwords
- Passwords should be changed within 90 days at the absolute maximum.
- Furthermore, previous passwords should not be allowed.
- Allow for different policies depending on user access and need
- I.E. At least one admin should be required to have an extremely secure password (and possibly second factor authentication) but be unable to be locked out.
Encryption
Encryption is big in the digital realm. Since encryption is essentially the armored
van of the password exchange and delivery business, there are going to be
individuals who attempt to break them.
Ensuring that you have a solution that provides strong transit
encryption will serve to add yet another layer of protection for your data,
without inconveniencing users. Most
solutions do not allow for adjustment of encryptions, so take care when
researching and implementing an authentication solution.
IT Support
Within your environment, a proper solution will help to
mitigate the impact of helpdesk calls.
However, it is a definite password management best practice to make sure
that your IT staff is equipped with the tools necessary to implement a quick
turnover rate for things like lockouts and forgotten or lost passwords. A Self-Service
Password Reset solution could assist here, but the IT support staff must be
properly trained and outfitted to solve any outstanding issues. Though thought to be a staple of the security
game, IT support is often overwhelmed or undertrained.
Education
Another often overlooked aspect of strong password
management is the education of both staff and end users. If the expectations we discussed earlier mean
anything, it is that the human factor plays a major role in security
vulnerabilities. Proper education of all
individuals involved will provide a support system to mitigate vulnerabilities
before they have the chance to become common practice in your environment. The cost of education is something that pales
in comparison to the cost of a major data security breach and its immediate
fallout.
Single Sign-On
A strong single sign-on solution
is also a major component of password management best practices. Single Sign-On provides users an easy method
of accessing the entirety of their long list of accounts from a single, strong
and secure location. Many end users may
find a single sign-on solution easy to handle even with an overly strict
password policy because they only need to remember the one, and it removes
responsibility for remembering and updating other passwords so frequently. For strong password management, single
sign-on is not an absolute requirement, but it is highly recommended.
Stemming the Tide
It’s no easy feat to fight security vulnerabilities in the
digital age. It’s not enough to battle
the hackers and other intruders anymore, you also have to battle human
nature. Finding the perfect balance
between security and convenience is no easy task. Thankfully, there are authentication security
experts out there who are willing to help with advice and
information on password management best practices. Reaching out to an expert is nothing to be
ashamed of, and could serve to bolster your defenses in this age of Cyber
Warfare. Remember: alliances are the
surest way to victory.
Whatever you decide, always remember to keep your end users
in mind, whether they be customers, faculty and staff, or just your small
corporate office users. Without meaning
to, users can cause many new vulnerabilities to arise just because they are
attempting to make their lives a little bit easier. By providing a solution that can bring those
two oppositions into harmony, you will strengthen your infrastructure tenfold. Remember to follow these password management best
practices, and usher in a new series of expectations for digital security.
No comments:
Post a Comment