Passwords can actually represent one of the greatest security risks to an organization due to the combination of constant attacks and human weaknesses. In addition, as IT has become universally accessible, more users are adept at circumventing this basic security tool. Here are 7 tips to help organizations manage their passwords policy and reduce security risk.
1. Know the attacks
Methods of attack on passwords can be categorized into 5 types:
- Dictionary attack uses a dictionary file to compare possible password with every word of that file.
- Brute force attack tests every combination of characters until the password is broken.
- Hybrid attack works like dictionary attack but adds some numbers and special characters.
- Syllable attack combines both brute force and dictionary attack.
- Social engineering attack uses some ruses to convince people to reveal their password.
2. Define the purpose
Before developing a password security policy, its life cycle should be defined and used as a baseline to identify needs. The password’s life cycle should comprise all phases from creation until the end of life and take into account the critical level of the resource it is assigned to protect. Phases of management may include, but are not limited to, create, send, store, utilize, recover (locked account), renew and dispose.
3. Understand vulnerabilities at all levels
According to the type of account used to access resources, passwords can be classified into four types:
Even if each password associated to a different type of account has its own level of importance according to rights and resource, the level of security risk is the same, because privilege escalation attacks can be used by hackers to get more rights on the same resource or a higher sensitive resource (i.e., admin rights).
4. Ensure password management strategy exists
Strategy for password management should be defined by 2 key factors:
- Size of the information system in terms of resources to access and users who access it. The greater the number of resources, the more complex the management is.
- Ability of organization to implement this strategy in terms of infrastructure and skills.
Generally, there are two strategies for managing passwords: Centralized vs. Decentralized, each of which has advantages and disadvantages. Once management strategy is adopted, access to resources should be well compartmentalized according to good security practices (e.g., least privilege, segregation of duties, need to know, and continuing user education on security risks related to passwords).
5. Do not make it easy
When talking about password complexity, people think only of its length. But it is not the only element. Other aspects like characters type, guessing probability and ease of memorization can increase complexity. Characters include lowercase and uppercase letters, non-alphanumeric characters, and base 10 digits (0-9). The more complex the password is, the harder it is to remember. As a result, users tend to write their passwords. Users must be educated and trained on how to create and use stronger passwords.
6. Test the security
Password testing checks whether existing passwords comply with the security policy. While it advised to limit weak password at creation, regularly testing the strength of existing passwords is crucial. Several tools exist for online or offline tests.
7. Protect the password
Regardless of the type of password, once it is created, it can be transmitted, stored, or recovered. For each of these operations, it is essential to protect its confidentiality and integrity by making sure it is always encrypted using approved security mechanisms. Honey Encryption is one method to add a level of protection to passwords.
Passwords must not be stored or transmitted in plain text because a hacker could use a sniffing tool to guess them. During the password recovery procedure or resetting (manual or automatic), care must be taken to preserve the security of the password.
Elie Mabo, CISA, CISSP, CEH, CCNA Sec, Security+, Information Security Consultant at CGI in Canada.