Today is World Password Day, which is usually aimed at encouraging consumers to strengthen or change their passwords.
However, CISOs can also take the day to re-think their identity and access management strategies focussing on several issues:
–Do you have a well-defined yet clear password strategy for employees?
–Do you have a mechanism to check whether staff passwords can be found on common stolen credentials lists used by attackers?
–Do you ensure the principle of least privilege applies across the enterprise — that is, only those who need access to a resource get it?
–Do you offer an enterprise-grade password manager to staff?
–Do you take maximum advantage of two-factor/multifactor authentication for company logins?
–Do you have a secure password reset policy?
Passwords are vital portals to an organization’s important assets. Attackers know this. According to the 2018 Verizon Data Breach Investigations Report, the number one contributor to data breaches was stolen credentials.
Centrify notes a recent study it commissioned found privileged credential abuse was involved in almost three out of every four breaches. Fifty-two per cent of respondents said their organization doesn’t have a password vault, and 21 per cent have not implemented multi-factor authentication for privileged administrative access.
According to a survey of 600 IT pros in the United States and the U.K. by security vendor OneLogin , at least 90 per cent of respondents said their organization has guidelines for password complexity. However, only about one-third said their organization checks employee passwords against common password lists. (Read the full survey here. Registration required.)
And while most organizations have many applications that need separate logins, the survey noted fewer than half of respondents said their organizations use single-sign on technologies. Just under half of U.S. respondents and one-third of U.K. respondents said their organization’s don’t use multi-factor authentication.
American respondents figured their organizations spend 2.5 months a year resetting internal passwords.
The not-so-old days saw the U.S. National Institute for Standards and Technology (NIST) recommend passwords be 16 characters, and include a mix of capital letters, numbers and special characters. The more recent Digital Identity Guidelines say password policies should allow at least 64 characters to support the use of passphrases. “Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization. Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets. Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
There are different opinions on passphrases. “This doesn’t work from a security perspective for several reasons,” said Darren Guccione, CEO of Chicago-based Keeper Security, “We have hundreds of digital assets that require encryption both at rest and in-transit – i.e. passwords, codes, digital certificates, SSH keys and files (documents and media). To prevent a data breach, passwords (and codes) need to be high-strength, unique (a different password or passphrase per website, application and system) and encrypted. The human brain is simply incapable of doing this. Therefore, the use of passphrases are not nearly enough to prevent a data breach. A password management application must be used.”
He also suggests CISOs use a dark web monitoring service to check staff passwords against constantly changing stolen password lists.
Vendors are also pushing biometric and other solutions that are less reliant on passwords. “Experience shows us that passwords are an archaic method of authentication, is no longer enough against today’s threat landscape and are not user convenient,” maintains Karl Barton, head of international channels and alliances for. “The reality is that people will continue to reuse passwords across multiple resources – despite advice against this – allowing stolen credentials to have far-reaching consequences. With the trend of credential compromise on the rise, organizations must adopt modern approaches to identity security, which ultimately render stolen credentials useless to an attacker.”
Similarly Don Duncan, security engineer at NuData Security, which uses behaviour analytics to identify users, said with the amount of personal information that has flooded the dark web, a password can’t be trusted to authenticate a user. Companies require new authentication frameworks that secure accounts by looking at other user data that can’t be replicated by a third party. “Multi-layered solutions that include passive biometrics and behavioral analytics are allowing companies to verify customers by their behavior and hundreds of other inherent identifiers that can’t be stolen, instead of relying on static data such as passwords. This way, even if a password has been compromised, the company can still verify the user behind the device correctly and protect the account from fraud.”
“We have made passwords more and more complex so they cannot be easily guessed by bad actors,” said George Cerbone, principal architect at One Identity. “Unfortunately, this is also one of their biggest drawbacks. The forgetting and resetting of dozens of passwords is a broken cycle that we should strive to end … Layering security through a multi-factor process is authentication done right. And the good news is that as biometrics evolves, it can serve as a portion of the multi-factor authentication process.