Proper password methodologies can be a challenge to master. Learn some tips from industry experts on how to streamline the process and safeguard your organization.
Amid the coronavirus pandemic, access to systems in order to conduct business operations is critical for the majority of the workforce (56% according to globalworkplaceanalytics.com) that can do so remotely. I'm one of those workforce members, and it's a huge source of relief for me to be able to conduct both my jobs (system administrator and tech writer) remotely.
Remote access nearly always depends on passwords, either to initiate VPN connections, log into workstations and servers, or to access critical websites.
IT departments are tasked with the extra burden of making sure all this remote access is secured via appropriate password methodologies. After all, it's challenging enough to secure an on-site physical system that only permits hands-on access (such as a company workstation), let alone devices out of your control that may easily be lost, stolen, or accessed by unauthorized individuals.
I checked in with Charles Poff, CISO at Predictive Identity Access Provider Sailpoint, and Daniel Murphy, Global IT manager at Cygilant, a Cybersecurity-As-A-Service provider, to chat further.
SEE: Identity theft protection policy (TechRepublic Premium)
1. Use automated password management tools
Charles Poff: Start looking into a password management tool. There are a ton of useful commercial tools and solutions that help make the overall process of keeping long, complex, and unique passwords manageable.
With automated password management, you can empower your organization with self-service password reset. Password management is the key to effective security, we all know that, but password reset help desk calls are very expensive, and corporations don't want to incur that cost.
With an effective password management strategy, you give your users an easy and intuitive way to change or reset their passwords themselves. And along the way, you can enforce strong password policies across all of your applications and systems.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Self-service enables your workforce to remain productive wherever they are, and they won't get locked out of accounts. It's really a win, win. Help desk calls are minimized and security is improved because password policies are consistently enforced across the organization. Overall, password management leads to less frustration because employees can use self-service from wherever they are.
Scott Matteson: I can certainly speak to this as well. My company has a LOT of passwords and we're trying to consolidate accounts where possible, but for a time, password reset requests were absolutely draining our productivity. I implemented Remote Desktop Web Access password resets to permit users to reset their own passwords via a web portal.
I also continually urge existing and new users to rely on KeePass to securely store their passwords. With these two tools handy users will never have to deal with a forgotten password again, and IT staff won't have to drop more critical work to handle this type of housekeeping.
2. Update or change passwords often
Charles Poff: Keep your password unless you think it has been compromised. Once a password is compromised, the floodgates are open. The eye-popping number of credential stuffing data breaches this year taught us as much. If you're using a complex, memorable password then I'd recommend changing your password on the same schedule as your vehicle registration: About once a year.
Be sure to inspect your accounts and their passwords for safety and any sign of compromise, just like you would an automobile. The thought process is similar: While vehicle inspection is part of the renewal process and ensures that safety is maintained, you wouldn't wait for the annual renewal to get something dangerous fixed in your vehicle.
SEE: Black Hat 2020: Cybersecurity trends, tools, and threats (free PDF) (TechRepublic)
Similarly, appropriately complex passwords can be changed once a year, assuming that any breaches or other security issues with a particular account trigger a password change immediately. The website Have I Been Pwned is a great resource for breach awareness.
Daniel Murphy: Building a culture of security awareness within your organization should be a priority for everyone. For IT Managers it's important to implement password hygiene processes across an organization. Passwords should be changed every 30 days or every 90 days for non-user or system accounts.
Conventional wisdom says to change your password a couple of times a year, but security needs to become second nature to people. If employees only think about password security twice a year they will inevitably choose a weak password that is easily memorable. By increasing the frequency in which users have to change their password, you create an emphasis on the importance of password security across the organization.
Scott Matteson: One problem I've had with passwords in general is they still don't guarantee the person using them is who they say they are. That's why my company takes a severe approach to the concept of sharing passwords.
3. Use multi-factor authentication or single sign-on
Charles Poff: Organizations should opt-in for multi-factor authentication where available for an added layer of security that is already built into many apps. While passwords as the primary method for authentication may go away at some point in the future, the reality today is that they are still very much a part of securing access.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
There are great technology solutions that can address the current password management challenges such as the growing number of applications (both on-premises and in the cloud) and the increasing complexity of password policies being used in large enterprises. These solutions look to reduce the number of usernames and passwords required by leveraging single sign-on and password synchronization in combination with one another.
4. Balance user needs with security needs
Charles Poff: One of the challenges with current approaches to managing passwords is they almost exclusively focus on the needs of IT and IT security. Organizations should strive to balance security with convenience and deliver solutions that simplify management of passwords for applications which still require them. This means looking for ways to streamline the implementation of strong password policies without causing undue complexity on the users.
If password policies and administration become too arduous for end users, they will find a work-around, which ultimately exposes the organization to more risk vs. less.
5. Educate users on password safety
Charles Poff: To avoid needless risk and to protect their identity in the event of a breach, users should constantly switch up their passwords and take a minute to adhere to some important password management best practices, such as using a unique password for every application or account, and making sure the password is long and complex. The best thing you can do is make all your passwords unique at every site (do not reuse passwords). Users should also avoid duplicating their passwords across accounts, especially across work and personal accounts. This ensures that your personal identity is not only protected, but also any information related to your employer is safeguarded in the event of a breach.
Consumer-facing breaches can extend beyond personal accounts, potentially exposing the enterprise as well. Data breaches like this can create a domino effect across multiple organizations through the reuse of credentials across personal and business accounts. This is where password hygiene comes in. While people can't go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being affected should another breach of this magnitude occur.
SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
Finally, keep it mindful—always be aware of where you are on the internet and take specific note of anything or anyone that has asked you to log in or provide answers to any secret questions or disclose personal information.
As an industry, we need to educate, educate, and educate. Unfortunately, we are still making rookie mistakes when it comes to passwords. Even if we feel like we are tediously repetitive and the requirements may seem like overkill, it's overall a benefit to the user to combat password and account compromise.
Daniel Murphy: Users should understand the concepts of password complexity. Historically the guidance was on short, complex passwords, but this has been disproven in recent years and the emphasis now is on length over complexity. I believe it should be both.
Passphrases then built upon this and added extreme length to the equation. They are nearly impossible to crack and are easier to remember compared with passwords. The only issue may be around not every application supporting their use. So for now, if you use passphrases you will undoubtedly have to use some passwords as well.
The standards you should strive for are:
- A minimum length of 12 characters
- Containing upper- and lowercase letters
- Containing at least one number
- Containing at least one symbol
- Avoid sequences e.g. 123
- Avoid words and places identifiable to you e.g. hometown, kids names, sports teams
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)