Prevent Password Problems
Playing the password game isn’t hard – but winning at it is like playing chess with no way to checkmate the opponent. That’s going to cause a lot of password stress for both IT admins and end users at any organization. Learn how to checkmate password problems before they occur. Prevention is probably the best way to checkmate those ruinous password problems. “The supreme art of war is to subdue the enemy without fighting.” – General Sun Tzu.
Problems with passwords and people
- Weak passwords. Weak passwords are constantly the first problems most IT managers have to deal with. Most accounts are password-protected. So, using weak passwords is going to undermine the foundation of security, regardless of other safeguards. But people will inherently use weak passwords to reduce the effort of memorization and repeated typing. Basically, people cannot be trusted with enterprise-level password security. Enterprise passwords must be secured by the IT team somehow and not left to the devices of individual users.
- Reused passwords. If one password gets cracked and that password is used in many other accounts, those accounts are now at risk. If a user has to memorize 100 passwords, they will naturally reuse passwords to ease to the burden of having to memorize so many random combinations.
- Passwords written on Post-it notes on monitors. Passwords written down are bad enough. Codes written and posted on the monitor? Blasphemy. Why even have security? If you tell people not to write passwords down, they’ll just write it down and hide the paper anyway. Bad habits die hard. Also, people tend to lose pieces of paper. Not only would they no longer know their password couldn’t log in, someone else might now have that password!
- Phishing attacks on employees. How do you prevent phishing? Training and awareness helps prevent phishing. Remember when GoDaddy sent out phishing training email to their employees that said they received a bonus? Managers are getting tough on their troops in this war against phishing. This must be so stressful for employees to always have their guard up.
- Updating shared passwords and letting others know. Passwords are finicky with one user. What about passwords that are shared between users? Let’s say all 20 doctors require access to this one shared kiosk computer, but the password changed over the weekend. What’s the best way to share the new password with 20 doctors coming in at different times?
- Password security during turnover. If every employee is responsible for their own passwords, then how does an IT manager know what accounts that person still has access to? There are too many reported incidents of ex-employees of organizations still having access to multiple accounts at their former company. The reason they still have access is due to a poorly managed deprovisioning process at the company.
- Balancing usability and security. Choosing between ease of logging in and increased security is like your queen and king being ‘forked’ in chess. You have to choose one – security or convenience. End users will always fight for convenience.
Preventing password problems.
- Use a password manager. “Password managers don’t have to be perfect, they just have to be better than not having one.” – Troy Hunt. You should listen to Mr. Troy Hunt. Password managers allow IT admins to enforce strong passwords on accounts. They can also see accounts with weak passwords. After setting longer passwords, users can save them in their password manager and never have to type them again! Longer passwords are also more difficult to write down and retype, eliminating the incentive for users to write passwords down.
- Deploy passwordless authentication. Now that your users are using a password manager, let’s get rid of that last ‘master password’ that is the gateway to all other passwords. An organization with 1,000 users with 100 passwords each is 100,000 password accounts for the IT team to manage at any given time. Eliminate the manual management of 100,000 passwords. Different passwordless options include tokens, biometrics, smart cards, and more.
- Enforce 2FA at every possible point. 2FA doubles your defense of any account. If a website offers 2FA, use it. Two layers are better than one. Yes, it’s a pain to have to perform more physical tasks to login, but it’s worth it. Not to mention, 2FA is becoming required by most regulatory compliance, corporate security policies, and insurance companies.
- Use an IAM solution. IAM solutions allow for swifter provisioning and deprovisioning of employee passwords. IT managers can save huge costs will be significantly lower when utilizing an IAM solution to manage users and credentials. Let’s say you hire 100 new employees, each requiring 100 passwords, that’s 1,000 new passwords to create, distribute, and maintain security over. This is all done much easier using a centralized IAM solution. Otherwise, it’s like a library without a checkout process – chaos and nonsensical.
- Use automation instead of just training and awareness. Many teams rely on training and awareness. Automation is the preferred method for organizations seeking to maximize the efficiency of each employee in the workforce. No amount of training and awareness and compete with automation when you have to rely on people. Automation doesn’t forget, it doesn’t get tired, it doesn’t get complacent – automation is more reliable in these circumstances than people are.