The business of authentication

Password Management Policies

Before you leap to the design and implementation of your enterprise's password management policies…stop! Have you done a risk assessment?

An enterprise risk assessment is the starting point for crafting an enterprise layered identity security strategy. One part of the strategy will address enterprise password management policies. The risk assessment must be done to evaluate enterprise business, knowledge and security risks. From this, you will identify those applications, business processes, information, site, facility, building and room security points that are high risk, medium risk and low risk. Against this you can then assign the user authentication strength required for accessing them.

The lowest risk application, systems and information should require either no authentication or the use of passwords. Passwords should NOT be used alone for areas which are medium or high risk. Please review the earlier section of this website for more information on the security risks of using passwords.

A password management policy usually contains:

Password Length

The password length specifies the number of characters in the password. If the user has a password that is only 6-8 characters long then this is normally easily overcome with a dictionary attack. Most modern dictionary attacks, run off a normal computer, can run at 75 million passwords per minute!

The most common form of user password length is 6-8 characters. Asking for longer passwords may technically offer greater security but be harder for the user to remember.

Password Formation

From a password attack perspective, the use of different characters, signs, upper and lower case characters and numbers in a password make the cracking of the password more time consuming. Some governments, like the UK, now require passwords to be in the form consonant, vowel, consonant, consonant, vowel, consonant, number, number.

Many enterprises are now moving towards asking their users to not use any word found in the dictionary. Further, there is also a move towards asking users to not use vehicle license plate numbers in their password since this is easily socially engineered. Still other enterprises now offer the user an array of choices and ask them to choose one.

Unfortunately, most of these policies are very hard to enforce on the user. An average user has three to four passwords to remember in their workplace plus several more from their outside work activities (e.g. bank, credit card, airline, car rental agency, online stores, etc.). In the end, most users either try and use the same one all the time or, if forced to change them, then write them down on pieces of paper and stick them on the sides of their computer screens, hide them beneath their keyboard, etc.

Password Duration

Most enterprises require the user to change their password every 60-90 days. This means, in an average enterprise for an average user, that the user who has four passwords in their job will have to try and remember 16 different passwords each year. The chances of the user getting confused over which password they've used are high. They will try and reuse old ones and/or end up writing them down which weakens the overall security.

From an enterprise perspective, the need to have passwords change, came about historically from seeing that passwords can be easily obtained through hardware, software or social engineering attacks. This resulted in enterprises requiring their users to change their passwords more frequently to minimize the risk to the enterprise.

Today, in this consultant's opinion, this tactic is no longer valid. Passwords are VERY insecure. Relying upon them as the mainstay of your enterprise security is VERY FOOLISH. Therefore, the recommendation is to minimize the total number of passwords a user has to remember, and assign them to only low risk enterprise information and applications. Therefore, if someone steals a password, which is highly likely in today's environment, the overall risk to the enterprise is low. Stronger forms of authentication should then be used for higher risk information and applications.

The effect of doing this will be to lengthen out the password duration and also enable the enterprise to force stronger password length and password formation. Thus, a user who has only one password to remember and use may be required to choose a password that is 10 characters long, with upper can lowercase and uses numbers. The password may be changed once every year.

An exception to the above recommendation would be for high risk applications, such as approving checks. In this case, the user might be forced to authenticate using a security token and a second password different than the one that they log on to for accessing enterprise low risk systems, application and information. In this case, the password duration may be much shorter, requiring the user to change and remember a new password every 40-90 days.

Password Hygiene

Optimally, your enterprise should have password management policies in place that require the following:

  • Never tell anyone about your password
  • Never use the same password for more than one account
  • Never share a computer account
  • Never write down a password
  • Never communicate the password by email, phone, fax or instant messaging
  • Log off the computer before leaving the computer unattended
  • Change passwords quickly whenever there is a suspicion the password may have been comprised

The practice of enforcing these policies in real life means that often these policies are not used by the user. There may be too many passwords to remember, they change too frequently, they need to leave their desk unexpectedly with the computer still logged on, etc.

My recommendations to address this are as follows:

  1. Reduce the number of passwords a user has to remember, for an average user, to one.
  2. Use passwords only in low risk situations. The exception being for a high risk application where a second password is required in addition to presenting something the user has (like a security token or a digital certificate) and/or something of the user (like a biometric).
  3. Require all users, once a year, to watch a 2-3 minute video highlighting the current enterprise security concerns relative to passwords, phishing, the risk of clicking on email links in a message, etc.
  4. Then use a software tool to check and enforce that user's passwords are strong and not weak.

Password Resets

Today, many enterprises are addressing the user confusion on having to remember multiple passwords by synchronizing passwords between different applications and systems and/or by having the employees do their own self-serve password reset. While this reduces overall enterprise password management costs and increases user satisfaction, it generally increases overall enterprise risk. Why?

Reducing the number of passwords a user has to know BUT still relying upon passwords as the primary user authentication method only increases the enterprise risk. If the password is obtained by a malicious person, then they have wider access to the enterprise applications, systems and information.

Having the user do their own password resets normally involves the user answering some basic questions about themselves that the user has previously given the enterprise system. "What's your mother's maiden name" etc. These types of questions are normally easily obtained through social engineering.

Therefore, it is okay to synchronize passwords and have the user do their own password resets AS LONG AS THE ENTERPRISE IS NOT USING PASSWORDS FOR MEDIUM TO HIGH RISK SYSTEMS, APPLICATIONS AND INFORMATION ACCESS.

Password Strengthening

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing