Password Management 101

Password Management 101

You’ve just realized that your password management needs tightening. Maybe you’ve experienced the pain and embarrassment of a cybersecurity incident. Alternatively, you might have hired a security engineer who points out weaknesses in your system. Before you start designing improvements, it’s helpful to refresh the fundamentals. Use our password management 101 to make sure you’re building a comprehensive strategy.

What Is the Goal of Password Management?

Before we discuss technical matters, let’s take the 30,000-foot view to review the goal of password management. It’s a way to protect your organization, reduce risk, and enhance your brand. Effective password management is a critical component of a fully developed IT security program. If you want your password management plan to succeed, you should also consider the employee experience. Specifically, look for ways to make password management easy for employees to implement and follow.

Three Key Terms in Password Management

Identity and Access Management (IAM): IAM is the overarching term that covers your company’s approach to identifying and authenticating users. For instance, an IAM system can distinguish between an executive’s system access (e.g., grant access to all files across the company) vs. an individual contributor’s access (e.g., limited to a department). A fully implemented IAM is supported by software tools such as IT security chatbots so that your help desk can focus on other tasks.

Tip: IAM requires ongoing monitoring and management support to be successful. Without this continuing support and investment, new security exposures will go undetected.

Multi-Factor Authentication (MFA): Also known as two-factor authentication, MFA is a process to improve security. Rather than relying exclusively upon a password, MFA adds one more authentication step. Many companies use text messaging in their MFA program. In this approach, a user enters login information on a PC and then receives a unique code via text message and must enter that code to access systems. This process makes hacking much more difficult.

Resource: Don’t have internal support to implement MFA? Use these five steps to solve that problem: Build Your Business Case for Multi-Factor Authentication in 5 Steps.

Password Policy (also known as Password Rules or Requirements): When you set a high bar for passwords at your organization, you make it more difficult for attackers to break in. For example, some companies require employees to create a new password every 90 days to protect their most sensitive systems. For added protection, you can prohibit the worst types of passwords: password, 12345678, qwerty, etc. Such passwords are easy to remember but even easier to hack.

Your password policy should also consider the employee experience. Overly complicated passwords are difficult to remember, and your staff may resort to high-risk behaviors to remember them. For example, your staff may reuse personal passwords at work (i.e., password reuse disease). That behavior is a problem because your organization may be threatened if another company’s passwords are compromised in a data breach.

Tip: You need to offer password management training to employees in some form so that they can understand how to improve. Read our short guide for details on how to deliver this support: How to Deliver Password Management Training to Your Employees This Week.

How Do You Know Your Password Management Is Effective?

Now that we understand some of the fundamental concepts of password management, let’s turn to the measurement. In business, you must measure your systems and processes. Otherwise, how will you know whether they’re working and contributing to your goals? In measuring passwords in the context of IAM, look at using some particular metrics.

  • The number of password resets: When evaluated as a trend, this KPI may indicate that your password requirements are too tricky or employees are struggling to remember their passwords.
  • Multi-Factor Authentication (MFA) adoption rate: If you have MFA in place, you’ll want to track its usage. Persistent low MFA usage rates suggest increased security risk.
  • Inactive user account tracking: When employees leave the company or change roles, they may leave inactive user accounts behind. Track the number of such accounts that have had no activity for 30 or 60 days. With this data in mind, you can reach out to people managers to ask them to verify whether the account is still necessary.
  • Conduct annual IT security tests: Some organizations offer password and IT security training only once, when an employee is hired. In today’s rapidly changing world, that approach isn’t good enough. Therefore, you may want to set a goal for all employees to complete an IT security course. This can be delivered via e-learning to maximize schedule flexibility for your staff. Specifically, track how many employees passed the annual IT security test. If many people fail, that’s an indicator you need to take additional steps to improve security.
  • Conduct physical security checks: Some companies regularly review offices and cubicles after years to determine if sensitive information – such as corporate passwords – is left out in the open. This type of review can help you detect and reduce security vulnerabilities in your organization.

The Missing Piece in Password Management

In 2019, cybersecurity breaches have become more common and more expensive. In 2018, cyber incidents caused an estimated $45 billion in losses for organizations around the world. Further, the total number of cyberattacks continues to grow. Add up these threats, and you might worry about maintaining robust password management. There’s a way to avoid that fate: use software tools to take some of the load.
Rather than setting up user access for each individual, use Group Requester. By automating administrative security tasks, you’ll have more time to train staff, proactively review threats, and stay ahead of attackers.

Written by Nelson Cicchitto