It is safe to say that both end users and passwords can bring insecurity to the enterprise. Unfortunately, even if Anne Robinson was hired as CISO, neither could be dismissed with a wink and a cheery, "you are the weakest link, goodbye!"
Which isn't to say that mitigating the user credential threatscape has to be difficult; quite the opposite, in fact. Truth be told, a combination of technical common sense and logical policy management can help kick much of the breach risk to the kerb.
Any enterprise security 101 book would have, written large upon the first page or two, “protect privileged accounts with complex, non-recycled passwords.” That even this tenet of best practice can be overlooked with alarming regularity explains why there are so many data breaches. Enterprise password management is not rocket science; in fact, you can do it in six simple steps.
When I say complex, what I really mean is random. And long. Personally I insist on a minimum of 16 characters, and if the system allows it—some online services that should know better still have restrictions that are criminally low—25 characters. These need to be a mixture of upper and lower case, alphanumeric, and special characters. Which doesn't mean taking Star Wars Return of the Jedi and turning it into “[email protected]@rs6ReturnoftheJedi!!!” because, while that is a passphrase and it is a whole heck of a lot better than a simple dictionary word, it still ain't random.
Use a standalone password generator tool or the function built into a password management console, to create truly random strings based upon your length and character type requirements. Don’t worry too much about users remembering these complex strings: password management solutions exist to take care of that.
Last year the Communication Electronics Security Group (CESG), which is part of the UK Government GCHQ signals intelligence outfit, suggested in official guidance that organisations should not regularly change passwords. They reasoned that inconvenience to the user outweighed any perceived security benefit. By suggesting that complex passwords would be replaced by very similar ones so as to be more memorable, CESG grabbed the wrong end of the security stick in my opinion. What it forgot to take into account was that advances in security software mean that password managers make the act of creating, changing, and remembering passwords straightforward.
Change your passwords on a quarterly basis (so, four times a year) and you will limit the potential damage from a breach that goes unnoticed for a long period of time. An overly draconian password change cycle with mandatory compliance is just as bad as no change cycle at all. It will get in the way of business and encourage users to look for ways to bypass it, weakening your overall security posture. So it's important to get the balance right. It should also go without saying, but sadly doesn't, that the same password should never be reused for more than one login.
The first rule of password club is never tell anyone your password—obviously. However, the second rule is not to just rely upon passwords alone for protection. Password security best practices recognise the value of a layered approach; implement 2FA (two factor authentication) where possible so that there isn't a single point of failure. By adding a token, be that in hardware or via a code-generating app, you bring something that the user has into the access equation alongside something they know.
Managed services providers and their customers already know about the benefits of centralising IT administration. When it comes to security and password management in particular, it can be more than just cost efficient; centralising the process can improve your security posture as well. Think about it: if you have a bunch of different legacy solutions from different vendors all doing the same things but on different platforms, then you are asking for trouble. Quite apart from just how seamlessly these solutions will really work with each other, the larger your solution’s footprint, the greater the opportunity for vulnerabilities to be exploited. By connecting the silos and reducing the footprint, there are fewer updates to remember and a smaller attack window for the bad guys to get through.
This may sound aggressive, but the underlying message remains: cut out as much opportunity for human error as possible, and let the machines do what machines are best at: automating the password management process. This doesn't mean you can, or should, remove the human gatekeeper altogether, but a solution that is policy-based and dynamic will streamline your security and leave less room for error.
Having just “bigged up” the bots and said that a policy-based system rules (if you'll pardon the pun), it may sound odd to be making the case for not setting your password policy in stone. It shouldn't. After all, since when has set-and-forget been even vaguely on the sensible password management policy scale? Your policy has to be dynamic and change with times, and that means it should be both event driven and intelligence driven.
Don't be afraid to update it as and when it becomes necessary. Equally, don't be afraid to let everyone know when it has been changed and even when it has not. A policy is pointless, and toothless, if the users don't know about it. So adopt an “education, education, education” mantra. And that means across the board, including the Board. Password policy applies to everyone, and there can be no exceptions—even if you’re the boss.