Many companies simply turn on enterprise password management software and use policy defaults without giving it much thought. The reality is that a poorly thought out Password Policy may be hindering IT cyber security while increasing Help Desk costs. This is exactly the opposite of the intended purpose.
The three major benefits of Password Expiration are:
- If a cracker is trying to break into the account by trying to guess the password, a changed password makes it difficult for the attacker.
- If an account has already been breached, the password expiration will help prevent or at least raise suspicions that there is an issue. With a good enterprise password management tool, such as Avatier’s Password Station, the real user will get notifications about needing to change their password before it is expired which the cracker may never see.
- Finally, if the account has been breached and the cracker changes the password, the user may notice they can’t get into their account anymore and this may lead to an investigation.
Those are all good and valuable benefits. However, on the other side are a few major problems:
- Many users will start using passwords like “howdy1”. Then, when the expiration hits, they just change it to “howdy2”. This means that if the password is ever cracked, it is likely the cracker will be able to guess future passwords as well.
- Other users will start writing down their passwords because they can’t remember them anymore.
- The shorter the password expiration, the greater the number of Help Desk calls related to forgotten passwords will be.
So what can be done to get the benefits of an enterprise password manager while minimizing the problems?
First, the number of different passwords in the organization needs to be considered. A company with one Windows domain is going to have fewer issues than a company with a mix of Windows, ERP, Databases, Unix, Mainframe, and so on. When multiple systems are in play, the first thing to do is to implement a password synchronization product, such as Password Station. This will enable users to only need to remember one password for all the systems instead of several passwords. This increases the likelihood of a good password being chosen and remembered.
Second, password history can be used to prevent a user from reusing the same few passwords over and over again. Some systems can enforce this natively, but having your password synchronization software handle this capability will ensure all systems are in scope.
The appropriate strength of the enterprise password management software policy is also critical to success. A product like Password Bouncer allows admins to utilize an automated password reset tool to enforce policies that prevents users from setting very simple passwords that are easy to crack yet simple enough that users will not have to write them down to be remembered.
Finally, the time frame of the password expiration needs to be considered. Obviously, a password policy that is daily or weekly is going to lead to problems. At the other extreme, a policy that only enforces changes yearly is probably not strong enough. A reasonable time frame of password expiration is anywhere from 1 to 6 months depending on the compliance and cyber security threats to an organization. The complexity of the enterprise password management software policy needs to be factored in. If the policy is complex, the password expiration could be longer. If the policy is very simple, then the expiration should be shorter.
Finding the right balance with corporate password management is more of an art than a science. Please feel free to view the Avatier Password Station Product Introduction video and add your thoughts in the comments below.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.