Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Practical password policy

Practical password policy 

Despite their weaknesses, passwords remain a dominant authentication mechanism, and the reason is simple: They are low cost and convenient. Unfortunately, many organizations erroneously believe that making passwords less convenient also improves security. And they are also wrong.

The first step in managing password-related risk is to address factors directly controlled by individual users. People may choose poor passwords that are easily guessed. Passwords can be carelessly stored on a computer or written down. Users fall victim to social engineering, malware, and phishing attacks. Security awareness training can significantly help mitigate these risks.

Password reuse is a growing problem. For years, well-meaning security and IT professionals have urged people to choose complex passwords that are not easily guessed, and not write them down. Unfortunately that approach ignores the fact that people just cannot remember dozens of complex passwords. As a result, they use the same password, or a derivative thereof, for multiple applications.

The obvious answer is to point users toward quality password managers such as 1Password and LastPass, and encourage them to use different randomly generated passwords. In addition to helping people create strong, unguessable passwords for each application, password managers help reduce the the incidence of phishing by only offering the password at the correct URL.

Multi-factor authentication provides a valuable second layer of defence and should be used wherever possible. Organizational security policy should require the use of multi-factor authentication to protect all non-public information, and multi-factor authentication capability should be considered when selecting products and cloud-based services.

Organizations of all sizes continue to struggle with password policies. Requiring a complex password of a minimum length makes good sense. However, many administrators erroneously believe that requiring users to change passwords more frequently increases security. In reality, stolen passwords are generally exploited immediately. Frequent password changes increase the burden on users, who already have too many passwords to manage. In practice, most users create new passwords that are only minor variations on their old one.

From a policy perspective, it makes far more sense to ask users to create a long random password with a password manager, and allow them to continue using it indefinitely. To put things in perspective, a 14-character random password with upper and lower case characters, two symbols, and four digits will take in the order of a century to crack using brute force techniques on dedicated hardware. Passwords only need to be changed when a compromise is suspected.

Of course, brute force attacks should be quickly detected, long before passwords can be compromised. Properly implemented authentication systems should not present opportunities for offline password cracking, and online password cracking attempts should trigger delay and lockout mechanisms.

System administrators and others responsible for setting password policies in products should carefully consider the advice in “Password Guidance – Simplying Your Approach” published by the UK Government in 2015.

There is no doubt that authentication systems must evolve. Multiple authentication factors applied within an adaptive risk-based framework and integrated misuse detection is the way of the future. But until that future arrives, organizations need to make the most of authentication systems in the products they use today by adopting a practical password policy.

Have a security question you’d like answered in a future column? Please send me an email. 

Related posts