Password Malpractice: Are You Guilty?
The explosion of passwords in today’s enterprise has created a sea of holes in the security infrastructure. Some CIOs have responded to the challenge by bringing in the lifeboats, figuratively speaking, but in many cases the password-related security risk remains largely unchecked and even ignored.
Whether out of denial, inertia or sheer work overload, many IT managers simply look the other way when it comes to ensuring password security. The upshot, in effect, is password malpractice. Thousands of points of possible network infiltration are left open to determined hackers and even disgruntled employees. One cracked or stolen password can undo all other security measures combined.
The magnitude of the problem is staggering. The majority of users now have more than six passwords, a third have more than 15, and IT administrators can have up to 100, according to industry estimates. The blame lies primarily with the proliferation of applications and Web-based services, each requiring its own user ID.
The result? An extra management burden for the IT staff, an influx of forgotten password calls to the help desk, millions of dollars a year in password resets at an estimated US$22 each, and — in an ironic twist, given that passwords are security tools themselves — a variety of complications on the security front.
First, there’s the problem of password sharing. CEOs routinely entrust their passwords to their administrative assistants, effectively handing them the keys to the kingdom. Stock traders give their passwords to the subordinates who handle their paperwork to ensure that they get credit for transactions. Nurses trade passwords so that they can access patients’ medical information in a timely manner. Actions like these increase network exposure exponentially.
Then there are the security threats posed by password tracking strategies that users employ to compensate for the limitations of human memory.
Corporate security policies notwithstanding, many employees assign identical passwords to multiple accounts simply to eliminate the need to remember different codes. Those that obey orders to use different passwords for each account typically create cheat sheets on Post-Its or PDAs to keep track. These practices create their own security hazards.
Despite the fact that these kinds of transgressions are as well-known to any network administrator as the latest virus attack or Microsoft flaw, many enterprises claim not to be concerned at the potential for password-related security breaches.
Those that do acknowledge the danger and resolve to take action frequently make another mistake: they adopt an ambitious plan to do away with passwords completely and replace them with an architecture that faces enormous hurdles in implementation.
Several years ago, the technology plan du jour was to replace password-based authentication with PKI certificates. Today, the pet plans for password-less application access range from federated identity to authentication through Active Directory, smart cards with digital certificates and PINs, or Web-ifying all of their applications in order to adopt a webSSO solution.
Unfortunately, these approaches simply winds up perpetuating password malpractice. These projects may have a five- or even a 10-year road map, either because they require massive amounts of coding or because many in-house or hosted business applications cannot yet support the technology in question. While administrators struggle to make good on their plan, passwords remain a relatively easy path to the corporate jewels.
There are faster and more practical ways to plug password-related security gaps, either through corporate policy or technology or — ideally — a combination of the two.
One quick fix is to change your password policy just enough to thwart easy code-cracking by hackers by requiring that each password contain at least one special character such as a dollar sign, asterisk or ampersand in the middle. Simply changing the word “happy” to “ha&&y”, for example — or, alternatively, using numbers or phrases — will foil would-be intrusion by dictionary attacks.
A complementary strategy that can help curb abuse of password sharing is to change the frequency of required password changes for the company’s two or three most sensitive business applications. If your usual policy is that passwords be changed every 90 or 180 days, narrowing the window for key applications to 30 days can help prevent shared passwords from getting into the wrong hands — whether by the person taken into confidence or by third parties who may filch the password from a written note on a desk.
As for a technology solution, the first step is to acknowledge that passwords and the existing set of applications as they exist today are going to be around for the foreseeable future. The most logical approach then becomes a matter of focusing efforts on controlling the source of the password security problem: fallible memory in the face of password overload.
If a brain were a computer, it could spit out any password on command without the need to worry about forgetting which password goes with which application. That in turn would eliminate the need to have a written record, along with the risk of having that record pilfered.
Technologies that automate password storage and recall can overcome the problem by standing in for the human brain. Enterprise single sign-on (ESSO), for example, adopts that strategy. Users need only remember the one password that is used to log on to Windows. The ESSO system then responds to each application, database or account logon prompt with the correct account password on behalf of that user.
ESSO takes things one step further by progressively changing user-selected passwords to computer-generated passwords as each application prompts for a new password when the old password expires. Computer-generated, random passwords cannot be easily hacked, even by the most sophisticated methods.
Regardless of the strategy selected, the important thing is to confront the password security problem head-on. If you turn a blind eye, you’re as guilty of network malpractice as a doctor who ignores the symptoms of a heart attack. If you’re lucky, your network will be safe. If you’re not, you may find your corporate secrets purloined by competitors or even splashed over tomorrow’s newspaper. Not a pretty thought.