Tuesday, September 22, 2015

Password Management Best Practices: Stemming the Tide

Password Management Best Practices: Stemming the Tide



This one is geared to all you IT professionals out there who are looking to create a strong, effective, and simple to manage password policy.  We’ve talked before about password best practices, and what not to do.  If you want some more information on that particular subject, check out some of the information provided by the security experts over at PortalGuard.  Today, however, we’re going to look at the password policy in some more detail to figure out what password management best practices are the most effective in actual use. 


Why Password Management Best Practices need to be considered

Hackers today are extremely creative.  In the same way that we use our smartphones and various programs to streamline our work, there are a whole host of programs and applications that make a hacker’s job easier. That article is from over a year ago, and the list has only increased since then! Cracking a password is not something that needs to be done by manually entering each guess, or by waiting until the time-out period has expired to try again.  Now, hackers can try hundreds upon hundreds of passwords to an account in minutes, all while sitting back and enjoying a nice cup of coffee. 

Think about it.  Just about everyone has a list of passwords that they need to remember that is so long, you’d need to start busting out toes just to keep track of them! Don’t believe me? The good people over at SOPHOS have figured out that the average person in 2014 had 19 passwords, and a third of those people use weak ones! Clearly, password management best practices aren’t a priority for those individuals! Even if you aren’t one of those particular individuals, you probably have enough passwords to make you occasionally type in the wrong one for any given site. That is just the way of the world we live in today.  It’s a nightmare, sometimes, but it helps keep us safe and secure in our businesses and private lives as well.

At least, that’s the idea.

There’s an old quote out there from a pretty neat book called A Wrinkle in Time, that addresses this kind of issue, albeit indirectly; “…security is a most seductive thing…it’s the greatest evil there is.” The intent that L’Engle had with this statement was to draw attention to the manipulative effect that some individuals are able to use our notions of security.  I’m not talking about governments or secret societies here (although, the Snowden interviews give credence to this idea), but rather the effect that security can have on the behavior of individuals. 

Security, Illusion, and Selective Amnesia

That’s a beautiful heading, isn’t it?  Everything you would expect in a discussion of hackers, security, and what people will do to feel safer in the digital world.  That’s really what it all boils down to in the end, however.  A simple idea, often forgotten or simply overlooked:

Expectations.

As end users or professionals, we have certain levels of expectation with our safety online.  We expect an antivirus program to catch everything that is thrown at our machines (when the reality is much, much different).  We expect an HTTPS web address to be nigh impregnable in terms of our credit card and purchase information (despite digital data breaches being at an all-time high). We even expect that paying for an application or program to protect us will cover our own missteps and failures of the human factor. 

We expect so much, and we hate to be told that we were wrong.  That results failed to step up to our expectations. 

So how can we remedy this?  We update our expectations by educating ourselves on the best possible way of navigating the treacherous fields of the World Wide Web.

Best Practices for Password Management

There is a pretty in-depth article hanging out over at Hitachi ID Systems for password management best practices, for those of us who are willing to slog through pages of technical and mathematical terminology.  For everyone else, I’ll sum up the most reasonable key points, and offer some insight of my own.

     Password Policy Structure

One of the biggest advantages that IT professionals have against hackers is in the creation of the Password Policy.  A strong password policy is the first line of defense against any real threat.  It ensures a user is creating a strong, difficult to guess or break password, while simultaneously thwarting infiltrators from gaining access.  Here are a few things to consider when constructing your password policy:

  • Balance Ease of Use with Effectiveness
    • Think about how simple the password policy will be on your end users.  A difficult policy will often be either ignored, or will convince users to find ways around restrictions: effectively negating the security provided

  • Create strong password complexity rules
    • A strong password will combine special characters, a length of more than seven characters, both upper and lowercase letters as well as numbers.
    • Dictionary words will be prohibited

  • Lockout Policy
    • A strong lockout policy will help notify administrators of lockout, without inconveniencing the end user who is legitimately attempting to access their account.
    • Try something simple like 10 incorrect attempts in five minutes, and the lockout period is only for 10 to 15 minutes. This cuts down on IT support calls, and only prevents the legitimate user from accessing their account for a short period

  • Implement a strong change and reuse requirement for passwords
    • Passwords should be changed within 90 days at the absolute maximum.
    • Furthermore, previous passwords should not be allowed.

  • Allow for different policies depending on user access and need
    • I.E. At least one admin should be required to have an extremely secure password (and possibly second factor authentication) but be unable to be locked out.

     Encryption

Encryption is big in the digital realm.  Since encryption is essentially the armored van of the password exchange and delivery business, there are going to be individuals who attempt to break them.  Ensuring that you have a solution that provides strong transit encryption will serve to add yet another layer of protection for your data, without inconveniencing users.  Most solutions do not allow for adjustment of encryptions, so take care when researching and implementing an authentication solution.

     IT Support

Within your environment, a proper solution will help to mitigate the impact of helpdesk calls.  However, it is a definite password management best practice to make sure that your IT staff is equipped with the tools necessary to implement a quick turnover rate for things like lockouts and forgotten or lost passwords.  A Self-Service Password Reset solution could assist here, but the IT support staff must be properly trained and outfitted to solve any outstanding issues.  Though thought to be a staple of the security game, IT support is often overwhelmed or undertrained. 

     Education

Another often overlooked aspect of strong password management is the education of both staff and end users.  If the expectations we discussed earlier mean anything, it is that the human factor plays a major role in security vulnerabilities.  Proper education of all individuals involved will provide a support system to mitigate vulnerabilities before they have the chance to become common practice in your environment.  The cost of education is something that pales in comparison to the cost of a major data security breach and its immediate fallout. 

     Single Sign-On

A strong single sign-on solution is also a major component of password management best practices.  Single Sign-On provides users an easy method of accessing the entirety of their long list of accounts from a single, strong and secure location.  Many end users may find a single sign-on solution easy to handle even with an overly strict password policy because they only need to remember the one, and it removes responsibility for remembering and updating other passwords so frequently.  For strong password management, single sign-on is not an absolute requirement, but it is highly recommended. 

Stemming the Tide

It’s no easy feat to fight security vulnerabilities in the digital age.  It’s not enough to battle the hackers and other intruders anymore, you also have to battle human nature.  Finding the perfect balance between security and convenience is no easy task.  Thankfully, there are authentication security experts out there who are willing to help with advice and information on password management best practices.  Reaching out to an expert is nothing to be ashamed of, and could serve to bolster your defenses in this age of Cyber Warfare.  Remember: alliances are the surest way to victory. 

Whatever you decide, always remember to keep your end users in mind, whether they be customers, faculty and staff, or just your small corporate office users.  Without meaning to, users can cause many new vulnerabilities to arise just because they are attempting to make their lives a little bit easier.  By providing a solution that can bring those two oppositions into harmony, you will strengthen your infrastructure tenfold.  Remember to follow these password management best practices, and usher in a new series of expectations for digital security. 
Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)