Last month, I hosted a webinar 'Password Management for Medium to Large Organizations: Guidance for IT Security Policy and Network Infrastructure Design Decisions'. This blog is an overview of that webinar.
Enterprise Password Management for Medium to Large Organizations
Today’s business environments are dynamic and constantly evolving. Due to this change, it’s critical for organizations of all sizes to ensure that all their data is kept secure by using some form of effective password management system and processes. Passwords, after all, are your last lines of defense against determined intruders.
When it comes to passwords, I often wonder why we even still use them. There are so many alternatives available, like smart cards, biometrics and tokens, that we can choose from. However, due to passwords being inexpensive to use, compatibility issues with alternatives choices, and the expense of these alternatives, passwords are unlikely to be replaced anytime soon. So if we have to keep using password anyway, we should use them in the safest way possible and I want to provide you with some methods for doing so.
User Authentication and Passwords
There are essentially 3 types of credentials from which users can choose – 1) something they know, such as a secret password; 2) something they have, like a physical device or a “smart card”; 3) or something they are, such as their fingerprints or retina scans. It is generally more secure to combine these elements into a multiple factor solution, like providing both a password and a finger print.
Password Security Threats
Password are simply secret words or phrases that employees know and they can be compromised in a number of ways such as:
- Employees writing them down and losing them
- Attackers guessing employee’s passwords, and
- Attackers stealing employee’s passwords
The biggest problem with passwords is that they can be broken fairly easily through brute-force and dictionary attacks. Programs like John the Ripper and L0phtCrack are used to crack even the most complex passwords. Once an attacker obtains employees passwords, by whatever means, they have an opportunity to impersonate that employee to gain entry into company networks and resources, and consequently company secrets.
The Human Element
Unfortunately, employees often have many passwords they have to remember, each protecting accounts on different systems or applications. Therefore, human nature also makes passwords insecure. When employees have trouble remembering passwords they often resort to:
- Writing down their passwords
- Forgetting their passwords
- Choosing very simple, easily compromised passwords or reusing old passwords
Therefore, any enterprise password management practices a firm adopts must take human limitations into consideration.
One of the weaknesses I mentioned above is that passwords can be guessed rather easily, especially if an attacker is using password cracking software easily available for download from the internet. To combat a password guessing attack employees should construct hard to guess passwords. Some industry best practices for choosing hard to guess passwords include:
- Use passwords that are at least seven characters long
- Passwords must contain at least one lowercase letter, at least one uppercase letter and at least one digit and if possible, passwords must contain at least one punctuation mark, so long as there are many (10 or more) available punctuation marks
To eliminate easy to guess passwords, passwords should not:
- Contain the employee’s name or login ID
- Contain a dictionary word, in any language that employees can reasonably be expected to know.
Should an employee’s passwords be compromised, the usefulness of those compromised passwords should be limited! This can be done by such practices as:
- Forcing employees to change them regularly (like every 30,60, or 90 days.)
- Having password expire at a certain interval, such as every 60 days.
- Preventing users from reusing old passwords.
The Bottom Line
Passwords are intended to reliably differentiate the authorized employee from imposters, and therefore must be kept secret. An organization’s password policy should forbid behaviors such as employees being able to choose passwords that are easily guessed, password sharing, or writing down passwords, and there must be consequences for doing so. But to best help employees comply with good password behavior, besides and effective password policy, firms should consider using user friendly password management tools and processes. Password managers store employee login information for all the resources they use and help them log into them automatically. They encrypt the company’s password database with a master password making the master password all you have to remember. This allows for management of many log-ins while keeping them as secure as possible.
By using an enterprise password manager, like PowerBroker Password Safe, organizations will be better equipped to prevent a hacker from misusing employee passwords to obtain private information. Solid, secure and respectful password management is not only important to an enterprise, but it is also respectful to the employees, ensuring that their identity may not be used in a malicious manner and that company secrets remain secret.
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.