Password security starts with making life easier for the user
- By Kathleen Hickey
- Jan 26, 2016
The annual list of most popular bad passwords from 2015 looks quite a bit like last year's – and the list from the year before that. It suggests that users would rather risk hacking and identity theft than remember strong, unique passwords.
Yet while experts acknowledge that insecure passwords are a key security issue for organizations, little has been done to help users manage them. Instead, organizations have focused on creating policies to either encourage (or force) users to master an increasing number of complicated passwords that are impossible to remember.
This approach isn’t working. Numerous complicated passwords do not necessarily make a system more secure, according to a recent guidance report issued by the information security arm of the U.K. Government Communications Headquarters. “Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users,” the report said. "They create cost, cause delays and may force users to adopt workarounds or non-secure alternatives that increase risk."
To address the challenges inherent in password-based security, the U.K. government is taking a different tack – encouraging its systems administrators to simplify their approach to passwords and use automated controls to defend against automated guessing attacks. According to the report, this approach is far more effective than relying on users to generate (and remember) complex passwords.
IT managers can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage by following these rules:
Limit password use. Systems and services with no security requirements should be free from password control.
Ask users to change their passwords only if there is an indication or suspicion of compromise, rather than at regular intervals.
Allow users to reset passwords easily, quickly and cheaply.
Consider alternate access control mechanisms, such as RFID badges, when applications require shared passwords.
Steer users away from choosing predictable passwords and prohibit the most common ones by blacklisting.
Choose a scheme for machine-generated passwords that are easy to remember, and offer users a choice of passwords so they can select one they find memorable.
Ensure that robust measures are in place to protect administrator accounts, and do not use administrator accounts for day-to-day user activities. Administrators should also have ‘standard’ user accounts for normal business use (with different passwords).
Implement two-factor authentication for all remote accounts.
The U.K. government isn’t alone in calling for agencies to change their password policies and structure.
Results from a recent survey by Dell of 150 federal IT and security professionals “shows that sometimes the heavy-handed approach we take to security is too intrusive,” said Paul Christman, vice president of federal at Dell Software, of the survey results.
Only 3 percent of federal respondents said the typical employee needed one login/password combination; 47 percent of federal respondents said they staffers use between two and five passwords at work. Thirty-four percent said the typical employee needed between six and 10 passwords.
“This is the charade that drives me nuts. We put complexity on top of complexity, and call it security,” Marc Boroditsky, COO of the strong authentication firm Authy, told FCW, a sister site to GCN. “Why is it the user’s problem to manage the weakness that is built into these systems?”
Kathleen Hickey is a freelance writer for GCN.