As a system administrator, every 60 days (per our password expiration policy) I find myself in Password Hell. This entails having to change about two dozen expiring passwords to continue to access the systems I need to do my job. It’s particularly cumbersome since I work from home permanently now, and if I somehow end up locking myself out of my laptop (as has happened twice when the new local password somehow didn’t take) that’s a major work stoppage issue.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
I reset all my passwords the other day, since May 6 is World Password Day, a day dedicated to promoting good password management strategies. The basics should be the standard bedrock of any organizational password policy:
- Enforce rotating passwords (60 days is recommended) using system controls such as Group Policy or Mobile Device Management mechanisms.
- Use complex passwords that prohibit common dictionary words.
- Use passphrases instead of convoluted character sequences. Take the phrase “I love to eat Boston seafood in the summer!” and generate a password based on that to form IlteBsins! for your password.
- Never write down passwords, and especially not on a piece of paper kept with or near the corresponding device.
- Never use the same password across multiple systems; use a unique one for each.
I know this sounds painful but some of the pain can be alleviated.
- Use a password manager like KeePass, 1Password or LastPass. I’ve been reminding my users of this for years. Copying and pasting passwords reduces stress, safeguards against fat-fingered passwords (which can lead to account lockouts) and streamlines your productivity.
- Implement a password reset portal such as Remote Desktop Web Access for Windows so users can reset their own passwords (check with your security department).
- Ensure all company-owned equipment is labeled with the phone number/web link for the help desk to facilitate end user password resets. If users are locked out of their devices they will know who to call.
- Implement remote control strategies to be able to access these devices to enable users to regain access.
Be vigilant keeping track of data breaches that might impact you and respond accordingly. A recent report by NordVPN found that “Despite daily logins across our social media and computing devices, only about half of Americans (57%) change their passwords immediately after a site they frequent has a data breach, followed by 25% who change their passwords within a week or two, 10% within a few months, and 8% who never do. When it comes to sites Americans rarely visit, less than half (43%) change their passwords immediately after a data breach followed by 33% within a week or two, 14% within a few months and 10% who never do.”
SEE: The future of work: Tools and strategies for the digital workplace (free PDF) (TechRepublic)
I discussed the topic of passwords with Fran Rosch, CEO of ForgeRock, an identity platform provider. Rosch also offered some key insights into how Amazon blazing a trail in the field of access and identity management.
Scott Matteson: What are the current challenges associated with password management?
Fran Rosch: We are all in unhealthy relationships with passwords as both consumers and businesses—it’s just that some of us don’t know it yet. Even the most tech-savvy people have trouble managing dozens of username and password combinations. Today’s password overload, which has been exacerbated by the pandemic where people, on average, now manage upwards of 70 to 100 passwords, has also seen us revert back to using easy-to-remember (which also means easily guessed) passwords or using the same ones again and again.
The shift to telemedicine, online banking, grocery delivery and the like means people are faced with the need to open new digital accounts and create new credentials for services that used to be handled in person. Most people lean on familiar password patterns, which gave attackers a leg up in stealing valuable data in 2020.
For businesses, managing passwords is expensive. The average enterprise spends more than $1 million annually on password reset requests when a customer can’t recall their credentials. Organizations are also looking for ways to make the login experience easier for their customers. Our research shows when it’s onerous, 35% of customers will cancel their account. A lot of money goes unspent in the online world when a shopper forgets their password at checkout.
Scott Matteson: Why has this been such an ordeal for decades?
Fran Rosch: Passwords are a crutch because they are familiar, and no one could have predicted the multitude of platforms a single person would want or need to access or how cumbersome usernames and passwords would become in today’s world. Historically, there hasn’t been a viable alternative. Organizations have tried everything from smart cards to biometrics, but they have never reached the critical mass required for widespread adoption. Without a widely adopted alternative, our old authentication modality cannot be replaced.
Scott Matteson: Why haven’t biometrics really taken off (other than on handheld devices)?
Fran Rosch: Many of the obstacles to the widespread adoption of biometrics no longer exist, and I believe that in the next three years we’re going to see a major surge in their use. What held biometrics back earlier was a scarcity of sensors. Today, most of us walk around with smartphones—powerful sensor-filled devices that can reliably and securely authenticate users with myriad biometric methods from fingerprints to facial recognition. Advances in security also make it easier for companies to keep user data on each device to make it harder for attackers to steal. In the past, attackers would count on finding troves of biometric data in a single place to extract valuable personal information. And finally, the court of public opinion has shifted. As a society we are more comfortable with the notion of using biometrics to verify who we are more than we were even a few years ago, and we have Amazon to thank for that.
Scott Matteson: What is Amazon doing to improve the situation?
Fran Rosch: Every day, Amazon proves to the world that it’s possible to deliver a great experience that is also secure. For example, rarely do users on Amazon have to reenter a password or confirm their identity, and the “buy now” button even accelerates a transaction, something that would be risky without underlying security measures in place. While Amazon makes it look easy, the company has put significant resources into the underpinnings of its platform to do just that. They are the model for companies who want to offer both a strong user experience and security. Consider Amazon Key. It’s an interesting way of bringing security into the physical world, allowing an Amazon delivery person to deliver a package inside your home or garage. The driver and home are all authenticated, and Ring Cameras record the transaction.
SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)
Scott Matteson: How does Amazon’s technology work?
Fran Rosch: Companies like Amazon use behavioral analysis technology supported by mature artificial intelligence and machine learning applications. This technology studies consumer behavior to verify a person’s digital identity by examining inputs like purchase history, browse time and scroll patterns. If potential fraud is detected, technology can be used to add friction into the buying process to make sure the right person is making the purchase and not an imposter. Ultimately, this kind of back-end security enhances the user experience by only introducing friction at the right time to make the purchase process smooth regardless of the item’s price tag.
Scott Matteson: How can this become more widespread?
Fran Rosch: To stay competitive in a digital-first world, organizations must deliver experiences that feel natural and are secure. We’re seeing this today in the financial sector where margins are thin and customers are earned with great service. At Standard Chartered Bank in Singapore they’re using ForgeRock to give customers the ability to choose their preferred method of authentication whether they’re using facial recognition at a branch to withdraw funds or a traditional PIN at an ATM. Biometrics will overtake passwords as the primary method to preserving and accessing our digital identities, and it’s how we’re approaching e-commerce with our customers now.
Scott Matteson: Are there any new challenges or considerations involved for IT departments to be aware of?
Fran Rosch: IT departments are used to having total control through ownership. Entire workforces spent their days on devices and applications managed by IT. Today millions of employees around the world are working from home on their own networks with their own devices, accessing SaaS applications that are running in a public cloud. Almost overnight, IT departments went from owning everything to owning nothing, and their challenge is making sure they don’t lose control of the security measures they’ve spent years putting in place on corporate networks with the majority of the workforce now working remotely. Concepts like Zero Trust, powered by a powerful IAM platform, can allow IT departments to regain control while improving security and the end-user experience, which should be passwordless.
Scott Matteson: Are there any new challenges or considerations involved for end-users to be aware of?
Fran Rosch: I tell all my friends, when a biometric sign-in option is available, take it. Your fingerprint or face ID is easier and more secure. And with my more techie friends, I coach them to make sure multi-factor or two-factor authentication is turned on. The main thing I want everyone to remember is that usernames and passwords will never be secure enough. My vision is a world where you never login again. We’re leading the way there ,and I can’t wait for more companies to get on board.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays