In the not too-distance future passwords will disappear, replaced by biometrics, smart phones and other tricks. Until then system administrators have to deal with users inputting increasingly longer alpha-numeric strings into systems.
For their part users cope with risky behaviour like re-using passwords and storing them on pieces of paper around their desks.
What’s CISO to do? A recent report from Britain’s GCHQ, the communications spy agency, and the country’s Centre for the Protection of National Infrastructure, offers seven tips to infosec pros on creating a simpler yet effective corporate password policy.
Usually policies urge staff to come up with a mix of letters, sympbols and numbers. Yet, the report notes, complex passwords don’t usually frustrate attackers, the document notes, yet they make daily life much harder for users.
So it urges a system that doesn’t ask most users to recall complicated passwords. In considering the recommendations note that they aren’t intended to protect what the report calls “high value individuals” using public services.
1 — Ensure default passwords for all devices — including routers, wireless access points, and firewalls — are changed. You do have an inventory of devices, right?
2 — Ease the burden on users. First, don’t put passwords on systems that have no security requirements. Second, use single sign-on and password synchronization so staff have fewer passwords to remember. Third, encourage the use of a password manager if staff need one to keep track of their passwords — but only one that has been approved. Fourth, monitor logins to detect unusual behavior. If there’s nothing unusual staff shouldn’t have regularly change passwords as a security procedure
3– Improve training. Instead of telling staff to creating complex passwords, train them to avoid passwords with personal information (names, dates, sports teams, etc.), simple dictionary words or predictable keyboard sequence. Back it up with technical controls such as account lockout, throttling, or protective monitoring.
4–Help staff create better passwords with a machine-generated system, but ones that
designed for high memorability (such as passphrases, four random dictionary words etc.). Ideally, give users a choice of passwords, so they can select the one they find the most memorable.
5.–Treat administrator and remote user accounts with a higher standard, such as two-factor authentication. And, of course, limit administrator privileges to only those that need it.
6 –Use account lockout and protective monitoring. You’ve done your best to ensure staff are doing the right things. Why give attackers all the time they need to crack them with a brute force attack?
7–Finally, all the work helping to create secure passwords is worthless if they are stored on your system in plaintext. Not only should password databases be hashed, they should also be salted. When implementing password solutions use public standards, such as PBKDF2, which use multiple iterated hashes.
Finally, if you outsource password access services, give the third party clear instructions on how it should protect the credentials. This should form part of the contractual agreement.