Better Password Management
Scott Cochran MBA CEH CSIM
Learning Technology developer and strategy officer. Certified Security Professional, Ethical Hacker, InfoSec Manager. Experienced software developer, helicopter pilot, airplane CFI. Let's start a conversation!
By now you are probably familiar with one of the greatest risk areas in Information Security. It's Password Management, the policies and process by which user passwords are created, changed, managed, and eventually disabled.
It's well known that easy-to-guess passwords like "123456" or "Password" are insecure and downright dangerous. There are standard recommendations that, if followed, will definitely make a given user's password hard to guess. But how far will you go to make the user passwords on your company network more secure; that is, harder to guess or steal? Is there a limit?
Does additional security have to be balanced with practical considerations? "No way", I can hear you saying. But let's consider the question a little more closely.
Do you perform every procedure in the way that is most secure, or do you also try to minimize effort, cost and practicality? Really?
Do you have Red and Blue teams carrying out simulated cyber attacks and testing defenses on your network on a regular basis? That's a great way to find vulnerabilities and test your readiness to protect your data. Some companies do this, but it's costly.
Do you take a full backup of all data on all your servers every day? That's the best way to make sure it's all available after an incident. Or do you save time, storage, and cost by using differential or incremental backups, even though that increases the odds that you might have trouble restoring everything?
We could go on, citing the ways in which we regularly balance cost and effort against the most secure possible procedures. But what about Password Management? Which of the common rules and guidelines make sense?
Let's first consider the cost of a network user not being able to recall her password. First, she has to stop whatever she is doing, and productivity drops to zero, at least while the guessing and frustration continue. Secondly, security drops as the password might soon be scribbled on a sticky note, and posted on the desk or wall for the world to see. Thirdly, now the person (in IT Support?) who is being contacted to help this user has to invest their time, which is not without cost. And there are other costs to being frustrated and unproductive.
So yes, a company may seek a balance between the most extreme password management policies and the ease of remembering the password. Here are my thoughts on specific policies, which are commonly enforced in Windows itself, so they are easy to implement.
- Password Length: 14 characters. I have no beef with that.
- Password Complexity: Requires 3 of the 4 character types (lower, upper, numeric, special characters). OK, no problem.
- Must change password every XX days. Don't like it. Leads to forgotten passwords.
- Can't re-use prior passwords. Don't like it, for the same reason.
- Minimum password age before changing: Again, don't like it.
I am a fan of using complete words in your passwords. Which one is easier to remember, "OperationElbow42" or "v2wAq#^9u0Hh1r"? And imagine having to change these every month and not being allowed to re-use an old password? You can see how passwords get written on sticky notes. If your users are outside customers rather than employees, can your relationship survive their annoyance?
How about two-factor authentication? I'm OK with obscure questions and answers, but be careful with the tactic of sending an SMS message to a mobile phone. If you travel and use different mobile phones in different countries, or if you ever change cell phones, the code-by-text technique is a nightmare.
Finally, I know there are password management systems that will remember your passwords for you. But are they without effort and cost, and are they 100% reliable? And would you need to have the entire organization utilize one to handle the most extreme password rules?
Remember, these are my views, and you don't need to call me if your password gets stolen some day. But someone has to say it: Consider your users before you automatically jump on to the most severe restrictions or methods.
For more information on cyber risk management in general, including matching risks and defensive measures, see www.flex-protection.com/ra.mp4.
The author is a Chief Strategist at www.flex-protection.com, where there are many security tools and surveys available for free download.