14 May 2020
What happens when the security solution becomes the security problem?
Privilege access management using passwords, is still one of the most effective and widely used methods of access control available today and shows no signs of changing anytime soon, so what happens when this security solution becomes the security problem?
Passwords have always been seen as a secure way to restrict access, however, the number of passwords each person is now required to remember is a security issue in itself. A report by LastPass in 2019 found the average user is thought to have around 50 passwords for business use alone, however, personal accounts are more likely to be in the hundreds.
Not only has there been a dramatic increase but the additional need for each password to be unique, complex, between 12 - 16 characters long and along with the added requirement for these to be frequently changed has all contributed to the current situation. This is where the security problem begins, how do you manage the ever-increasing number of required passwords whilst maintaining that level of complexity and without the user writing them down or duplicating them over many accounts?
Now more than any other time in the digital age, passwords are securing some of the most important data for companies, and for the users themselves, what was once considered just a password is now the key to some of the most highly valued data available today.
So, what are the options moving forward and how do you manage this ever-increasing security problem?
One of the most effective options currently available is to integrate access to your organisation’s key applications, using your company’s main domain user accounts; creating a single password authority for all integrated applications. This is referred to as single sign-on (SSO). This option not only removes the overhead of the user having to remember multiple passwords but gives greater access control to the company administrators.
The use of a password management tool is also an effective solution. These tools have become popular over the last few years, as they offer the user the option for passwords to be autogenerated, and are typically more complex and secure, but remove the need for the user to remember the password. More importantly, they are stored in a secure vault which only the user has access to.
A significant benefit with some of these tools is the password check functionality, this looks at the passwords stored and gives a score on how secure the password is, then works with the user to update the low scoring passwords to a more secure option. Most online tools integrate within web browsers, mobile devices, and work with additional security features such as biometrics, for example, retina displays or fingerprints which add another layer of security. Standalone offline versions are also available - if the passwords stored need to have an extra level of security for instance, they may be business-critical and need to be kept within the company’s infrastructure.
Having both these options in place only requires the user to remember a key number of passwords (typically around three). This could be a laptop encryption password (BitLocker, Becrypt etc), a domain password (this is normally the password attached to most company’s single sign on (SSO) infrastructure) and one for your password management tool. The rest can then be stored in the password management tool. The small number of passwords needed can then be long and complex but should be without the need for the user to write them down or repeat them making them unique.
Additionally, part of the solution should also include the use of Multi-Factor Authentication (MFA). This adds an additional level of security with most MFA solutions requiring two of the three options available. MFA is broken down into three categories; something you know, typically a password or secret word only the user would know, something you are, this is often a fingerprint or retina scan and something you have, a mobile device with an application to receive a code or push notification.
Ultimately there is no silver bullet, the fact remains that passwords are as important today as they have always been, sure you can add things such as MFA, biometrics and SSO but fundamentally a password is always present and whilst for day to day activities, these other options can be used instead, this doesn’t remove the need for a password when an issue occurs or if these additional other features fail or need verifying.
By implementing these changes, the way companies can get users to manage passwords can be greatly improved and, in most cases, reduce the possible burden faced within IT departments with password resets and with the increased security threats currently facing poor password management.
Passwords are here to stay and are present in virtually everyone’s lives, along with the added pressure of data no longer being contained in the physical form, password management is possibly more important now than at any other time throughout the digital age.