The Password Policy Paradox

By Ubong Kingsley-Udoh

If recent security breaches are anything to come by, the idea that password is the root of all digital evil wouldn’t fade away any time soon. From an enterprise perspective, resources within an organisation need to be restricted to authorised users, while individuals have a password in check for the near-same reason and to stay protected likewise.

Most organisations have created a contrivance these days in wanting to address security concerns by attempting to implement stronger password policies, which at the end, necessitates employees to remember two or more passwords for the different protocol stacks — application, network, and infrastructure, and ends up being stifling.

As a matter of fact, most employees find it a tad cumbersome to remember two or more strong passwords, so, the policy becomes skewed at the end and these result to network security lapses and more requests to the help desk to reset lost passwords. This is what I refer to as the Password Policy Paradox — the averment that needing too many strong passwords will lessen overall security posturing.

While there isn’t a one size fits all approach to authentication, bio-metrics offer the strongest form of authentication, but it is quite pricey and out of range for most organisations. Tokens are very effective likewise and the financial services sector has been the biggest adopter of this technology to date. Token-based systems are also very expensive to deploy and this makes passwords the most viable, common-denominator solution for most operations.

A password-based security scheme is the best option for most organisations, but there could be a challenge with adopting it as a single strategy solution to securing the baselines and perimeter. Passwords could be a burden on users who need access to business and mission-critical data online. Striking a balance between end-user convenience and effectual security and password policies is as crucial as ever. The seamless flow of data must match the tide of a major security breach.

In developing password policies, it’s imperative to consider the paradox of password security. A weak policy is integrally insecure, but an overtly stringent policy will result in users breaking the rules. Occurrences, like writing down passwords on sticky notes or storing them in an unprotected computer file, will become very rife. Requiring too many passwords has a negatively cascading effect on security.

There are solutions and strategies that can help mitigate the risks associated with making passwords your authentication model and weak passwords adoption in no particular order:

– A Strong Password Policy: Implementing a stronger password policy is the most elementary alternative for increased security. In an ideal scenario, the flowchart for security progress would take this trajectory — the organisation would establish a stronger password policy, employees would follow that policy and corporate data will be secured. As simplistic as it looks, the ideal scenario wouldn’t work. The single most important thing for an end-user when creating a password is to make it harder to guess and easy to remember. This is easier said than done. A strong password is measured by these combinations — letters, numbers and symbols. Users should be discouraged from using words found in the dictionary in case of a dictionary attack.

Passwords should be at least six characters long and should not contain any personal information such as your child’s name, telephone number, home address, user’s name or date of birth to mention but a few. A combination of letters, numbers and symbols would work best. It’s also crucial to use a variety of upper and lower case letters to make the passwords undecipherable.

Organisations must train their employees on several proficiencies so as to make them steps ahead of their attackers and defuse the false sense of security rampant in many organisations. Users must change their passwords once in three months. Organisations must adjust their authentication processes or systems to reflect harder passwords requirements.

– Password Synchronisation: This permits users to have a single password, dependent on the existing security policies that grant access to multiple machines, devices and systems. It can be used for example to synchronise passwords between a Windows-based system and a Linux. This process is easier on the user, premised on the fact that just one password needs to be remembered and this creates a more secure environment. Besides, there’s a downside to this strategy. The system will only be as secure as the most insecure application.

Take for instance, if one application only allows a weak six-character authentication process, which limits the password to just letters and not numbers and is not case sensitive, all the other application in the stack will be weak likewise. So, insecure systems shouldn’t be included in password synchronisation schemes because it defeats the purpose of such strategies. In an enterprise environment, synchronisation of passwords must be stored and/or transmitted across the network and this process in itself must be safe. Password synchronisation can be an effectual tool but the effectiveness will depend on the nature of the applications being synchronised and their internal security policies.

– Single Sign-On: SSO is an authentication process that allows users to log-in just once to gain access to resources and files. It’s the same as the One Time Password. SSO is an additional layer that seats on-top all applications and web resources. The advantage of SSO is that users only have to remember one strong password. A single sign-on helps keep track of users and identify redundant accounts but this could also portend danger since SSOs can’t seamlessly integrate with third-party systems.

Moving forward, it is imperative the industry moves beyond this current password system. The password system is broken. Even with fears of privacy and hacking, users and employees still pick hackable passwords. As the New York Times Ashley Vance succinctly puts it that “One out of five web users still decides to leave the digital equivalent of a key under a doormat; they choose a simple, easily guessed password like ‘abc123’, ‘iloveyou’ or even ‘password’ to protect their data.”

We keep as many passwords in our head than we did a little over five years ago — ATM PINs, Internet Passwords, Voice-Mail Passwords and this could be very discomfiting. Instead of a one-size-fits-approach that has been the bane since the advent of the Internet, imploring for a flexible password policy tailored to palliate risks could provide the needed zest for our drive towards a holistic authentication process.

You might also like

More Similar Posts