Password Management Systems in Your Organizations
By Ryan Ward, CISO at Avatier
Twitter: @Avatier
Twitter: @ryawarr
Someone once told me that developing a usable and secure password management system isn’t rocket science…it’s much more difficult than that. Naturally, I disagree as I have witnessed numerous implementations of password management solutions that were a major success in a very short period of time. Plus, “success” of these implementations can be measured financially, through improved operations and through improved security.
An organizational password management implementation involves a number of key elements consisting of a blend of technology and internal business processes including:
- the use and misuse of multiple passwords
- composing hard-to-guess passwords
- changing and reusing passwords
- the art and science of keeping passwords secret
- intruder detection and lockout
- encrypting passwords in storage and transit
- synchronizing passwords and the latest in single sign-on
- user authentication for self-service capabilities
- IT support for forgotten and locked out passwords.
However, introducing password management best practices is not a daunting task, and I am certain almost every organization has the main concepts already defined (although possibly not matured). Here are three tips to help in your management.
Tip #1: Multiple Passwords Can Be Inhumane
The problem with passwords in a large enterprise is that people generally require so many different accounts and corresponding passwords to access the expansive list of both cloud and on-premise systems and applications, that sometimes it feels humanly impossible to remember them all. And just about the time you feel you have them all memorized, they then need to be changed. So what is the natural reaction of a worker who needs to efficiently accomplish all their tasks across a number of different systems? They start to develop a host of insecure behaviors around password management including:
- writing passwords down and supporting 3M PostIt Notes sales
- using passwords that are simple and easily compromised
- contacting the Help Desk constantly when they forget their password (contributing to 30 percent of All Help Desk calls)
- reusing old passwords as often as possible
These behaviors creep into the workplace because workers want to avoid downtime and the hassles that go along with it. The solution to the entire password management problem incorporates three critical components: an easy self-service password reset capability to ensure people can reset their own passwords, a synchronization solution that changes passwords across all of a user’s systems and a single sign-on solution to limit the number of sign-ons required.
Tip #2: Compose Passwords That Are Difficult To Crack
All it takes to understand the glaring issue of password strength is to see the 25 worst passwords and their current ranking based on use (thanks to Splashdata who measures them):
1. 123456 (up 1 and taking the top spot from “password” for the first time
2. password (down 1)
3. 12345678 (unchanged)
4. qwerty (up 1)
5. abc123 (down 1)
6. 123456789 (new)
7. 111111 (up 2)
8. 1234567 (up 5)
9. iloveyou (up 2)
10. adobe123 (new)
11. 123123 (up 5)
12. Admin (new…you know who you are…)
13. 1234567890 (new)
14. letmein (down 7)
15. photoshop (new)
16. 1234 (new)
17. monkey (down 11)
18. shadow (unchanged)
19. sunshine (unchanged)
20. 12345 (new)
21. password1 (up 4)
22. princess (new)
23. azerty (new)
24. trustno1(down 12)
25. 000000 (new)
But hey, at least “password” is no longer #1! The solution to this overly simple problem: prevent your users from being able to use simple, easy-to-guess passwords! Controls around password strength have been around for a long time, and most software and operating systems provide a way to prevent weak passwords from being used if configured correctly. Unfortunately, some organizational legacy system baggage prevents setting stringent controls holistically at the target system, so software solutions have been created to help enforce password policies and prevent poor password decisions at the time the password is set and then synchronized across systems.
Tip #3: Change every password but the kitchen sync.
Password synchronization can solve so many issues around password management, so I am amazed when organizations choose a password management solution that only changes the core Active Directory or LDAP password without being able to sync to all the other systems a worker uses on a regular basis. Syncing passwords ensures users only need to remember one core password when logging into corporate systems, and this ultimately helps prevent the problem of workers writing down their passwords. It also helps solve the password expiration problem since the passwords will all be changed at the same time.
The latest solutions can map usernames across systems and still sync passwords successfully. For instance, my AD account may be RYANW, but my AIX Unix password is WARDR. The password management solution keeps track of those mappings and automatically knows to change my password for both AD\RYANW and AIX\WARDR. Synchronization can now also work with cloud-based applications such as Salesforce.com, Google or Office365, so security is strengthened by regularly changing cloud-based applications that in the past were typically left unchanged or had longer expiration windows.
Hopefully, you will find these tips easy to implement. In my experience both in-house and as a member of an IT Consulting firm, these simple additions, if you are not already employing them, will go a long way in keeping your passwords secure and your chances of a breach considerably lower.
About the Author: Ryan Ward is CISO at Avatier and a sixteen-year veteran of the security industry. Ryan is a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).