[BreachExchange] Security Think Tank: A good password policy alone is not enough
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Jul 13 15:14:31 EDT 2018
https://www.computerweekly.com/opinion/Security-Think-
Tank-A-good-password-policy-alone-is-not-enough
It is estimated that 81% of cyber breaches are due to weak passwords,
potentially putting businesses at risk of losing millions. Password
security depends on making cyber security a wider societal issue because
every person who has a work or private internet account has a password and
most of our personal and corporate data is now hidden behind them.
This renders a company’s cyber security dependent on its rank-and-file
employees because every staff member with a password to access corporate
systems or data is potentially a weak link in the organisation’s cyber
security chain.
Yet passwords are never treated with the same diligence as traditional
keys. You would never see people make 12 copies of their house key and
leave them on trains, yet people constantly write down passwords on
different bits of paper and throw them away.
Passwords are routinely lost, not updated or made so complex that their
owners can’t remember them. Many companies are also under the illusion that
a good password policy alone is enough to protect their data and systems
against intruders.
So what is the perfect password, and the perfect strategy for deploying
them, and when is a password simply not enough? Below are four examples.
The secret to a ‘strong’ password
The best passwords are not the longest or most complicated ones. The best
passwords are those that are easy to remember, but personal to the user, so
that users don’t have to write them down and are unlikely to forget them.
For example, choose a “private joke” or phrase and remove the spaces or add
an extra character to make it harder to guess.
Simplifying password management
Algorithm (formula-based) passwords have many advantages over traditional
passwords. They are easy to personalise and allow employees to log in with
special characters, numbers or capitals without remembering all their
passwords.
Crucially, they ensure different passwords for different accounts, so a
hacker cannot use the same key to unlock multiple devices or accounts. This
allows organisations to simplify the process for employees.
Giving organisations control
Allowing employees to manage their own passwords can encourage a “tick-box”
culture where employees do the bare minimum to comply or make lazy errors,
such as using the same password for multiple systems. Password vaults
centralise the entire process of creating and updating passwords, enabling
organisations to take control of cyber security.
The vaults also record which employees have the strongest and most recent
passwords as well as any failed login attempts, giving companies a 24-hour
central overview of the state of their password security. This can be used
to incentivise best practice by rewarding employees with excellent records
of password management and identifying poor performers.
When a password is not enough
For business-critical or sensitive data and systems, a password alone is
never sufficient. Even some personal information might seem innocuous on
its own, but could be sensitive if aggregated with other data. Your
personal email contains the key to your search history, but also your
friends and work contacts – information that could be enough to guess your
other passwords.
Organisations must instead use two-factor authentication to increase the
number of hoops a potential attacker has to jump through. They should also
use so-called air bridge or gapping mechanisms to ensure different devices
and networks are isolated and have different “ratings” of security
depending on the sensitivity of the data or system.
This ensures that employees must go through multi-factor authentication to
connect to a particular system and, if that system is compromised, there is
no “spill over” to other corporate networks or devices.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180713/6884bbe4/attachment.html>
More information about the BreachExchange
mailing list