Why Most Enterprise Password Management Policies Fail
From the massive Target data breach in 2013 to the Wendy's, UC Berkeley, IRS, and U.S. Department of Justice breaches of 2015 and 2016, today's enterprise exists in a security minefield in which a single misstep could lead to a massive breach and public blowout. As IT departments shutter and make sure to shore up their perimeter security, unfortunately, many overlook the fact that it was actually legitimate user credentials that were used in most 2016 data breaches, with some 63% being the result of weak, default, or stolen passwords, according to the new Verizon Data Breach Investigations Report (DBIR). These results drive home the point that passwords are the weakest link in the security chain and malicious intruders know it.
Driven by this knowledge and ever stricter compliance requirements around access control of sensitive assets, organizations are beginning to recognize the need to crack down on user security practices—password management in particular. Unfortunately, most enterprise password management policies are woefully inadequate.
There are a wide variety of reasons why enterprise password management policies fail. Most, if not all, of these reasons are rooted in the manual creation, monitoring, and auditing processes that underpin many outdated access management systems. Modern identity and access management (IAM) systems eliminate these manual processes and offer robust password management capabilities that that institutionalize, manage, and monitor password policies.
To further make the case, we will examine four key failure points inherent in most password management policies that are still relying on legacy access systems:
1. Weak or lazy password policies
- A four digit password has 10,000 combinations.
- Make it a four character password allowing letters and numbers and you’re up to 1,679,616 combinations.
- Make it four case sensitive characters and you’re up 14,776,336 combinations.
- Make it 10 case sensitive characters including numbers and suddenly we’re up to a huge 839,299,365,868,340,000 combinations. And so on and so forth.
Today's enterprise workers typically juggle a number of passwords, each protecting their accounts on a different internal or third-party system or application. Each system or application may have different password requirements or scheduled password changes. All this adds up to a long list of different, frequently changed, and sometimes infrequently used passwords that a user is expected to remember without committing the password management cardinal sin of writing the passwords down.
The near impossibility of this task creates a major failure point at the user level, as employees take the easy way out by choosing the simplest passwords they can think of or using the same password across multiple applications. If your password policies allow your employees to use weak passwords, then your policies are much too lax and make your company an easy target for a brute force attack.
2. Overly complicated or strict password policies
Aware of users’ tendency to take the easy way out when it comes to choosing passwords, many organizations err too far in the other direction. Overly strict password requirements are a familiar sight in many organizations. Going beyond numbers and letters, uppercase and lowercase, IT departments often demand that user passwords include special characters or symbols—and then often dictate that users periodically change those complicated passwords to previously unused complicated passwords. These overly complicated passwords may be difficult for an attacker to guess, but they are also challenging for users to remember.
Many companies make the problem worse with a three-strike lock-out policy. As a result, employees find risky workarounds like writing their passwords down or storing them in their computers on unencrypted spreadsheets. Others just keep the Help Desk on speed dial, driving up support costs and preventing IT from dealing with more pressing issues.
3. Failure to formalize rules into policy
Overburdened by the day-to-day tasks of maintaining some control over this password chaos, enterprise IT departments can hardly find the time to create overarching rules of password creation, storage, and management—let alone put those rules together in a formalized policy, get upper management to approve it, and clearly communicate the policy to end-users who must then follow it so that the organization can remain in compliance with broader regulations. When users don’t have clear guidelines to follow supported by training, they revert to the path of least resistance and pick passwords that are easy to remember, replicate passwords across accounts, share passwords with other employees, and write passwords down.
4. Lack of structured password policies and procedures for contingent workers
Contract and seasonal employees have become a necessity to many organizations whose workforce needs to contract and expand frequently. When members of the contingent workforce need access to sensitive systems and assets during their time with the company, poor password practices often creep up. Many organizations lack specific password policy criteria, procedures, and processes around contract/seasonal employee onboarding and more problematically, off-boarding. Are there policy or enforcement holes through which a terminated contract employee (or someone with access to the former employee's credentials) could reach back into the organization and cause a breach?
Unlike legacy systems, modern IAM software like RapidIdentity, offer robust password management out of the box that enforces the use of strong passwords across an entire organization, including employees, external workers, and partners. With features such as single sign-on, multi-factor authentication, and privileged access management, isn’t it time to consider a full lifecycle management tool that will enable you to implement an enterprise password management policy that better secures your sensitive data and assets?
Share this post: