It amazes me that, despite all the money being spent on security measures, from endpoints to data leak prevention to database security, the single largest vulnerability continues to be passwords. To be specific, 76% of all breaches over the past few years were based on weak or stolen password credentials according to one of the industry’s annual studies.
Developing a usable and secure password management system shouldn’t be difficult. I have seen countless implementations of password management solutions that achieved major success in a short time.
An organizational password management implementation involves a number of key elements consisting of a blend of technology and internal business processes, including:
- Use and misuse of multiple passwords
- Composing hard-to-guess passwords
- Changing and reusing passwords
- The art and science of keeping passwords secret
- Intruder detection and lockout
- Encrypting passwords in storage and transit
- Synchronizing passwords and the latest in single sign-on
- User authentication for self-service capabilities
- IT support for forgotten and locked out passwords
- Automatic deprovisioning for terminations and role changes
- Single sign-on
Implementing password management best practices is not a daunting task, and I am certain almost every organization has the main concepts already defined (although possibly not matured). Nevertheless, I highly recommend you evaluate your program’s maturity against the top practices defined below to ensure you improve security and lower operational costs.
Enforce Strong Passwords
The simple solution to this simple problem is to prevent your users from using simple, easy-to-guess passwords! Controls around password strength have been around for a long time, and most software and operating systems (if configured correctly) provide a way to prevent the use of weak passwords. Unfortunately, some organizational legacy system baggage prevents setting stringent controls holistically at the target system, so software solutions have been created to help enforce password policies and prevent poor password decisions at the time the password is set and then synchronized across systems.
Eliminate Multiple Passwords
The problem with passwords in a large enterprise is that people generally require so many different accounts and corresponding passwords to access the expansive list of both cloud and on-premises systems and applications that sometimes it feels impossible to remember them all. And just about the time you feel you have them all memorized, they need to be changed. So what is the natural reaction of someone who needs to efficiently accomplish all their tasks across a number of different systems? They start to develop a host of insecure behaviors around password management.
These behaviors creep into the work environment because workers want to avoid downtime and the hassles that go along with it. The solution to the entire password management problem incorporates three critical components: an easy self-service password reset capability to ensure people can reset their own passwords, a synchronization solution that changes passwords across all of a user’s systems, and a single sign-on solution to limit the number of passwords required.
Investigate and Embrace Single Sign-On
I like to think of SSO as a form of password management because it eliminates the number of times someone needs to use a password, which is a good thing. After logging in with a core directory username and password, a person leveraging SSO in the enterprise is then trusted to access a variety of other applications because they have already been authenticated. The concept here is that SSO uses one successful authentication to an authoritative source to automatically pass that user into other applications without the need for a second authentication.
The beauty of an enterprise-class SSO solution is that you can combine it with password management and identity management capabilities to create a unified security approach for authentications across critical applications. The password management solution should be able to sync passwords to the cloud apps transparently, thus improving security. Your identity management solution could automatically provision and deprovision access to SSO apps, which also improves security. Finally, having visibility to SSO application usage provides a great way to monitor license usage and costs.
Use a One-to-Many Password Policy
There is no reason to have numerous password policies across your system environment. Therefore, identify the strength, expiration, and aging requirements of your organization and implement that same policy on all of your systems. This does not take a massive amount of effort to accomplish, and it ultimately improves security while reducing support hassles. If your users know that they ALWAYS need to choose a password that has at least one uppercase character, one lowercase character, and a number; that they can not reuse that password for five password changes, and that they need to change the password every 60 days on every system within the company, they will not need to remember so many different password types or go through the hassle of being rejected when entering a weak password on a strong policy system.
Once again, software can help. A solid password management solution can unify your password policies by ensuring users select a password with all of the strength requirements across a variety of system policies. While your Active Directory Domain may require three of four character types (upper, lower, numeric, special character), your SAP system may only be set to take upper, lower, and numeric values. In my experience it is best to identify a single institutional password policy and implement that same policy across all of your systems while using a password management tool to help block easily-guessable passwords regardless of the strength requirement.
Sync All Passwords
Password synchronization can solve many issues around password management, so I am amazed when organizations choose a password management solution that only changes the core Active Directory or LDAP password without syncing to all the other systems used on a regular basis. Syncing passwords ensures users only need to remember one core password when logging into corporate systems, and this ultimately helps prevent the problem of workers writing down their passwords. It also helps solve the password expiration problem, since passwords will all be changed at the same time.
The latest solutions can map usernames across systems and still sync passwords successfully. For instance, my AD account may be NELSONC, but my AIX Unix password is CICCHITTON. The password management solution keeps track of those mappings and automatically knows to change my password for both AD\NELSONC and AIX\CICCHITTON. Synchronization can now also work with cloud-based applications such as Salesforce.com, Google, or Office365, so security is strengthened by regularly changing cloud-based applications that in the past were typically left unchanged or had longer expiration windows.
Self-Evident Benefits of Self Service
The volume of service desk calls relating to password issues is massive, and service desks obviously have better things to do than handle these types of calls. The return on investment (ROI) of self-service password management solutions is lightning fast and easy to calculate. If you know the cost per-ticket of a password call, simply multiply that by the number of calls and the percentage that would be automated via self-service (such as 90%).
$10 per ticket × 10,000 tickets × 90% self-service = $90,000 saved through self-service
If you steer your end users to handle their own password issues, you will have a clear justification to purchase a solution, and the ROI typically occurs within six months. Add more systems to the solution, and your ROI can occur even sooner. Just as important is the fact that your security will improve and you will start changing the culture of your organization to be more focused on self-service. This will allow new self-service capabilities to be rolled out with less effort.
Stronger passwords and password policies aren’t the entire solution to access management. In fact, they are only the beginning. I would highly recommend an annual risk assessment for your entire security solution. You might be surprised at how many elements are up to par, and relieved to know that you have remediated those that weren’t.
© 2014 Nelson Cicchitto
Improving Password Security Shouldn’t Be Rocket Science was originally posted in Policy Spotlight, an EDUCAUSE Review Online Blog.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail password security.