Password Management Software
The InfoSec Consulting Series #26
By Jay Pope
Few of us will have escaped the frustration associated with managing online passwords. As more of our day-to-day lives are conducted online, the more usernames and passwords we need to create. One of the most common mistakes with passwords that people make is to create accounts with the same password for every site. It doesn’t matter how difficult the password might be to guess – if a security breach on one site occurs, all accounts created with the same password become vulnerable. The obvious solution for easy password management might be to go for simple, memorable passwords. The simplicity means they’re theoretically easier to crack. More sites are demanding that we create passwords with minimum character lengths, containing letters, numbers, mixed cases and special characters. The problem is, the more complex these passwords are, the less memorable they tend to be and the more frustrating they can be to use as a result. And for employees logging into their employers’ systems, security requirements are often even tighter, with many having to deal with frequent password changes on top of other password creation requirements.
But in recent years, security experts in the US and UK have been considering a new approach to password security that is as practical as it is strong, challenging much of the traditional school of thought. According to the UK’s National Cyber Security Centre, (NCSC), overloading staff with complex password requirements to improve cyber security has little positive effect. The NCSC is, instead, recommending strategies that combine automation with more streamlined password policies.
Eliminate The Need For Frequent Password Updates
Take the requirement for regular password changes, for example. To make it easier to remember their passwords, employees are more likely to alter them by changing one character on an incremental basis than opting for a complete change, or they may rotate several passwords that they may use for other sites outside work. This can lead to a compromise in security and in any case, the NCSC says there’s no benefit to be gained from changing passwords every few weeks, since any stolen password is most likely to be used immediately. Instead, the advice is to monitor login patterns and notify employees of their login attempt history, so they can report any suspicious activity. It means that workers need only change their passwords if there’s a suspicion of unauthorised use.
Reduce The Need For Complex Passwords
Requiring workers to create and then memorise long and complicated passwords often leads to other common shortcuts and strategies, such as replacing letters with numbers to create memorable words. This strategy is well known to attackers, who will begin with words and commonly substituted characters. Automated defences such as locking an account after a prescribed number of unsuccessful login attempts and banning common passwords can help prevent attacks. Encouraging users to think of new password strategies such as passphrases (a string of random words from a dictionary, for example) or passwords based on consonant and vowel patterns can dramatically reduce the chances of their passwords being guessed by hackers.
Train Staff
Raising awareness of common mistakes with passwords will improve security. No matter how complex the password requirement is, workers must be trained to avoid the pitfalls associated with devising a strong password. Strategies to avoid are:
- Personal Information
- Commonly Used Words
- Passwords derived from keyboard layouts (e.g., ASDFG, QWERTY etc.)
- Using the same passwords as those used outside of work
Make Systems As User Friendly As Possible
User password management comes in different guises. Often, workers will be required to use several passwords to access different company systems, so consider alternatives that enable a single sign-on. Assist staff by providing ways to store passwords, either physically within the office or by using password management software and other identity and access management systems. Software such as ManageEngine, LastPass Enterprise and Keeper may be a good choice for Dev Ops password management and for other systems.
Security vs Memorability
Machine generated passwords need to be memorable enough for staff to remember but complex enough to be secure. The NCSC recommends letting users choose the passwords they find most memorable.
These are just a few examples of the steps involved in reviewing a business’s strategy in improving systems security.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.