Recently I've been working with clients on Information Security and of course the perennial issue of passwords and password management has come up.
The fairly standard model of password management has been shown to me, which is the regular requirement to change passwords.
Before I go any further, I'll draw your attention to this article on the BBC News website 'Password guru regrets past advice'. Bill Burr advised back in 2003 that passwords should be changed every 90 days, advice that people seem to live and die by in IT circles. Whilst laudable, if you're still working to advice from 2003 for IT security, I'd suggest that its probably time to have a review of your security approach. (We can help with that, see our 1 Day Information Security Assessment). Getting back on track, what this advice missed was the human element (which hasn't really changed) and systems developments (huge changes) that will effect that policy. Lets set up a real life scenario.
The Password Hell Scenario
All employees are issued with a laptop so they can work from home, hot desk, travel etc. As usual its on the company domain, bitlocker is set up etc. So as a piece of technology its a pretty standard environment. Windows Login, 6 monthly password change policy, no re-occurring passwords etc. Laptop is set up with Windows 7, Corporate Email (Outlook), Chrome and Internet Explorer, and a variety of cloud based systems each with their own login.
On top of their windows login, the user also has login to up to 10 additional systems, each with their own password rules.
Users and Policy
I've worked in environments where there are pages of words explaining the varied and interesting ways I will be dismissed should I find myself in breach of the corporate IT policy. All very nice, and ignored by employees and line managers. Which suggests that policy needs to be properly written. Here's few things to consider when writing policy to get you started.
Start by getting your own house in order
What are your processes and systems, can they be streamlined first
Define user access properly (only provide access to what they need)
Consider your vulnerabilities, what might go wrong
Follow good advice on passwords
Remember: Make it too difficult and users will circumvent policy
If you have multiple logins and systems, consider single sign on
Explain to them why its important and make it personal
People like to know context, it makes it real for them
Use IT policy to help users secure their personal lives (how to create a good password?)
Focusing on punishment is reactive, and tends to alienate, don't labour the point
Prevention is better than cure. Punishing someone after an incident doesn't fix anything
Be Technology Aware
We all use browsers, and in addition lots or corporate systems either use web portals for systems access, or use cloud based systems. Frequently browsers can now store your username and password in an online account for portability between devices.
Software also frequently allows you to retain login details so again a compromised system will allow access to more than just your Windows system (Remote Desktop Protocol (RDP) springs to mind.
Email Password Reset
Be aware of password reset, what's the point of multiple logins etc if access can be gained as soon as you have access to the corporate email system.
What to do?
I'll try and summerise, so when you're debating about passwords you have some facts to work to.
Take Proper Advice
At a minimum follow government advice, there is some good advice here and the UK is a global leader.
Cyber Aware: https://www.cyberaware.gov.uk/passwords
National Cyber Security Centre: Password Guidance - Simplifying Your Approach
Walk the User Experience
Audit what your users actually do, identify vulnerabilities these could be:
Writing down passwords (On paper, in bookmarks)
Weak passwords (Qwerty1, Qwerty2...)
Sharing login details
Unauthorised laptop users (employees kids?)
The list is potentially endless, but if this is happening, be honest if its happening repeatedly then it suggests a system and policy issue not a user issue.
Understand the Root Cause of issues
Take time to understand the root cause of an issues its better to fix the cause rather than the symptoms of the issue. Again remember prevention is better than cure, and a realistic assessment of risk vs outcome is much more productive than a zero tolerance to risk.
Don't Rely on Passwords, accept there will be a breach and deal with it
Passwords are limited by human beings, its important to ensure that users are properly set up with access limited to what they need. Segregate systems and data and apply appropriate security controls.
Monitoring and Measurement
Implement a monitoring / measurement regime actively monitoring logs, user activity and systems. The current advice is static passwords that are reset when there is a suspected compromise. The use of proactive monitoring and measurement can vastly improve both the user experience and the systems security. (Sustain You ISMS Monitoring Service).
Understand your systems and its vulnerabilities
Audit the user experience
Take time to understand and fix the cause not the symptom
Streamline the user experience
Implement monitoring and measurement
Follow government advice
We provide a range of information security services from Leadership Engagement to ISO27001 implementation.