The White House Wants To Pass On Passwords. Can we?

It is very positive news that the government is focused on improving authentication and identity management beyond the old-school usage of passwords, a huge security flaw in any enterprise system. After all, a typical eight character password has 6.1 quadrillion possible combinations. So we can feel pretty safe, right? Wrong. Just three years ago, it could have taken a year for a fast desktop computer to crack an eight-character password. For organized crime groups who have access to pooled computing resources, and even unorganized crime for that matter, the same task takes an average of 5 and a half hours. The White House initiative called the National Strategy for Trusted Identities in Cyberspace (NSTIC) is working hard to move all public-sector sites away from usernames and passwords and toward stronger identity management. I certainly applaud this effort and hope that someday authentication will evolve beyond the simple username/password combination that is prevalent today. But for now, most of us still need to find ways to improve organizational security knowing that passwords are still the primary authentication mechanism. The best way to address the password challenge today is to implement a password management solution. This type of implementation involves a number of key elements consisting of a blend of technology and internal business process enhancements. Here are 6 tips to consider:

Tip No. 1: Multiple Passwords Can Be Inhumane

The problem with passwords in a large enterprise is that people generally require so many different accounts and corresponding passwords to access the expansive list of both cloud and on-premise systems and applications, that sometimes it feels humanly impossible to remember them all. And just about the time you feel you have them all memorized, they then need to be changed. So what is the natural reaction of a worker who needs to efficiently accomplish all their tasks across a number of different systems? They start to develop a host of insecure behaviors around password management including: writing passwords down, using passwords that are simple and easily compromised, contacting the help desk constantly when they forget their password (contributing to 30 percent of all help desk calls), or reusing old passwords as often as possible. These behaviors creep into the workplace because workers want to avoid downtime and the hassles that go along with it. The solution to the entire password management problem incorporates three critical components: an easy self-service password reset capability to ensure people can reset their own passwords, a synchronization solution that changes passwords across all of a user’s systems and a single sign-on solution to limit the number of sign-ons required.

Tip No. 2: One-to-many Corporate Password Policy

There is no reason to have numerous password policies across your system environment. Identify the strength, expiration and aging requirements of your organization, and implement that same policy on all of your systems. This does not take a massive amount of effort to accomplish, and it ultimately improves security while reducing support hassles. A solid password management solution can unify your password policies by ensuring users select a password with all of the strength requirements across a variety of system policies. It is best to identify a single corporate password policy and implement that same policy across all of your systems while using a password management tool to help block easily guessable passwords regardless of the strength requirement.

Tip No. 3: Embrace Self-service

As stated earlier, the volume of service desk calls relating to password issues is massive, and service desks obviously have better things to do than handle these types of calls. The return on investment (ROI) of self-service password management solutions is lightning fast and easy to calculate. If you know the cost per ticket of a password call, simply multiply that by the number of calls and the percentage that would be automated via self service (such as 90 percent). ROI of self-service password management $10 per ticket X 10,000 tickets X 90% self-service = $90,000 saved If you steer end users to handle their own password issues, you will have a clear justification to purchase a solution, and the ROI typically occurs within six months.

Tip No. 4: Using Single Sign-on

Single Sign-on (SSO) as a form of password management simply because it eliminates the number of times a user needs to use a password. After logging in with a core directory username and password, a worker leveraging single sign-on in the enterprise is then trusted to access a variety of other applications they use since they have already been successfully authenticated. The beauty of an enterprise-class SSO solution is that you can combine it with password management and identity management capabilities to create a unified security approach for authentications across critical applications. The password management solution should be able to sync passwords to the cloud apps transparently as well. An identity management solution should automatically provision and deprovision access to SSO apps which also improves security. Finally, having visibility to SSO application usage provides a great way to monitor license usage and costs.

Tip No. 5: Auditing, Intrusion Detection and Security Features

Once a single enterprise password management solution is implemented, it is then possible to have a holistic view of all password management activities. This includes all user activities as well as administrative actions against the system. Accompany this type of rollout with a security awareness campaign to promote password practices and security-related notifications that will accompany the new solution. Until the NSTIC folks help provide that elusive better solution, these simple additions will go a long way in securing your organization. By keeping your passwords secure and your users engaged, the chance of a security breach is significantly reduced.

Top 10 Password Management Best Practices -- The proven working guide for successful implementation.Get Your Free Top 10 Password Management Best Practices Guide

Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects. Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).