Security Think Tank: Put more layers around passwords to up security

Passwords aren’t going away any time soon. For many organisations, passwords are an essential part of access control, used by individuals to gain access to applications, devices, systems and networks.

However, password policies and controls are known to be lacking in many enterprises. Password policies are rarely reviewed and updated, and follow outdated advice to make passwords random and complex– and thereby difficult to remember.

Enforcing complex passwords can be detrimental not only to the individual in trying to recall passwords, but also to the organisation, as when recall fails there are increased service desk costs for resetting passwords.

Furthermore, complex passwords often result in individuals “adding 1” to their expiring password to make it easier to remember. This makes any potential breach of passwords, even expired passwords, a higher risk.

The UK’s National Cyber Security Centre (NCSC) guidance strongly recommends helping users with “password overload”. Specifically, this includes not enforcing the regular expiry of passwords, instead recommending that passwords are changed only when there is a suspicion of/known compromise of the password.

Compromise can happen through various means. Social engineering involves an attacker enticing an individual to give away their password – anything from a street survey offering a bar of chocolate in exchange for a password, through to an elaborate and convincing hoax focusing on an individual with privileged access.

Other examples include brute force attacks (automatically testing a password against a user ID until a match is made), and finding unencrypted passwords at rest (such as written down or stored somewhere other than a secure password vault) or in transit (such as open over the internet).

Today, many enterprises are focusing on finding better ways of managing passwords and are using alternatives, such as biometrics (fingerprint recognition, for example) and multi-factor authentication (such as password and a token). Passwords are like the rest of security controls – they work best in layers.

Only for the least important systems and information should passwords be relied on as the only method of ensuring that an individual should gain access. Layering additional security controls around passwords is essential.

There is an increasing appetite among enterprises and their users for automating authentication, such as using the mobile device as an authenticating factor, to verify that an individual is trying to sign into a specific account or system. This means that security functions can develop password policy in line with NCSC guidance, only enforcing password change on suspicion or confirmation of compromise.

Users also have responsibilities, starting with reporting suspicions of password compromise. They must also engage with education and awareness programs around password protection, being wary of social engineering and other methods used to gain knowledge of passwords.

Of course, the IT function also has a responsibility, ensuring that default passwords on systems, hardware and so on have been changed.

Passwords are likely to remain one of the core security controls deployed by enterprises, but we will see more layers being added to passwords to continue the fight against security breaches and incidents.