In the not too-distance future passwords will disappear, replaced by biometrics, smart phones and other tricks. Until then system administrators have to deal with users inputting increasingly longer alpha-numeric strings into systems.

For their part users cope with risky behaviour like re-using passwords and storing them on pieces of paper around their desks.

What’s CISO to do? A recent report from Britain’s GCHQ, the communications spy agency, and the country’s Centre for the Protection of National Infrastructure, offers seven tips to infosec pros on creating a simpler yet effective corporate password policy.

Usually policies urge staff to come up with a mix of letters, sympbols and numbers. Yet, the report notes, complex passwords don’t usually frustrate attackers, the document notes, yet they make daily life much harder for users.

So it urges a system that doesn’t ask most users to recall complicated passwords. In considering the recommendations note that they aren’t intended to protect what the report calls “high value individuals” using public services.

1 — Ensure default passwords for all devices — including routers, wireless access points, and firewalls — are changed. You do have an inventory of devices, right?

2 — Ease the burden on users. First, don’t put passwords on systems that have no security requirements. Second, use single sign-on and password synchronization so staff have fewer passwords to remember. Third, encourage the use of a password manager if staff need one to keep track of their passwords — but only one that has been approved. Fourth, monitor logins to detect unusual behavior. If there’s nothing unusual staff shouldn’t have regularly change passwords as a security procedure

3– Improve training. Instead of telling staff to creating complex passwords, train them to avoid passwords with personal information (names, dates, sports teams, etc.), simple dictionary words or predictable keyboard sequence. Back it up with technical controls such as account lockout, throttling, or protective monitoring.

4–Help staff create better passwords with a machine-generated system, but ones that

designed for high memorability (such as passphrases, four random dictionary words etc.). Ideally, give users a choice of passwords, so they can select the one they find the most memorable.

5.–Treat administrator and remote user accounts with a higher standard, such as two-factor authentication. And, of course, limit administrator privileges to only those that need it.

6 –Use account lockout and protective monitoring. You’ve done your best to ensure staff are doing the right things. Why give attackers all the time they need to crack them with a brute force attack?

7–Finally, all the work helping to create secure passwords is worthless if they are stored on your system in plaintext. Not only should password databases be hashed, they should also be salted. When implementing password solutions use public standards, such as PBKDF2, which use multiple iterated hashes.

Finally, if you outsource password access services, give the third party clear instructions on how it should protect the credentials. This should form part of the contractual agreement.

  • Hitoshi Anatomi

    I would like to add the following.

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another. 

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    Incidentally, biometrics are dependent on passwords in the real life. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.