Danger! Is your current Password Management process a risk to your bottom line?

I work with many companies right across Europe who are starting to realise the direct and in-direct problems associated with password management. How many passwords do we have and how many of us have written them down in places like the back page of a diary? Perhaps even on post-it notes stuck on screens or around desks?

What about those critical passwords that protect access to the servers themselves, the so called “superuser” and “admin” passwords used to stop, start and administer the servers and data storage systems from where everything is served up to us? If these credentials come into the wrong hands the impact to businesses could be catastrophic.

There are all kinds of statistics about passwords – the most popular/obvious ones, strong/weak ones, the need to regularly change them, naming policies and so on.  For example, the average consumer uses 25 or more sites that rely on passwords. The average internal employee has 5-10 systems that they need password access to.  Employees struggle to remember passwords given all of the rules and hence often end up writing them down and leaving themselves open to compromise.

The commercial risk

From a cost perspective, the effort to reduce support and operational burdens has now seen companies beginning to understand just how much productivity is lost by forced password changes. Then take into account the time IT departments spend on the management of password resets and user lock-outs the picture becomes clear that there must be other ways to solve these issues.

All this could pale into comparison in the event of a major breach where cybercriminals hack user accounts then trade the details with criminals on the dark web. The associated clean-up cost, not to mention reputational damage should be top of mind when CISO’s sleep at night.

I have seen many companies spend massive amounts on the very latest in shiny Cybersecurity tools that monitor external attacks on their systems however still maintain the classic username and password process that is most likely the easiest way for suspicious individuals to gain access to critical systems and data.

• “Companies looking for ways to keep their users secure should know one thing”, a top Google security executive said, "Passwords are dead“.   Heather Adkins, Google's manager of information security, said that “in the future, the game is over for anyone that relies on passwords as its chief method to secure users and their data “

• “Our passwords are failing us.” said Michael Barrett, PayPal’s Chief Security Officer

According to the Verizon 2017 Data Breach Investigation Report, roughly 81% of all data breaches were enabled by stolen and/or weak passwords and 25% of breaches involved internal actors.

Much analysis of the human generated password has been made and the research all points to humans not being very good at creating and using “strong” passwords and that randomly generated passwords do go some way towards increasing password strength.

Solving the issue

There is however a trend to try to provide a solution to this growing problem.

This can take the form of self-service password reset, enterprise single sign-on/sign-off and privileged access management.

However, what I truly believe the best solution to be is utilising biometrics when signing on.

We are seeing biometrics in the mobile channel as the ideal tool to “sign us on” to our phones and tablets and if this trend continues, we will be seeing far more Apps taking advantage of the biometric sensors in our mobile devices.

Taking a look at the provision of IT services in the banking industry, there are often a multitude of systems that a typical user may need to access in a given working day.  The use of SSO, whereby a user has one password which signs them in to all of the systems they need to access, can go a very long way towards increasing productivity, reducing the time and cost of credential management and promoting a pro-active approach to identity governance.  Some of the more sophisticated SSO systems work on the basis of a challenge-response where users may need to generate a one-time password (OTP) or provide another token (e.g. smart card) before access is granted.  

At the same time however, SSO does present a level of risk and the possibility to gain the “keys to the kingdom” is real. Whilst simplifying things massively for both end-users and the IT department, it does mean that if that single password is compromised in some way, then a potential attacker can get to all of the applications that the user would normally be able to access.  It means that the single password is now even more important than ever before and additional safeguards should be considered to maintain the required integrity of that password.

Two factor authentication or 2FA is the first step where the user provides a second token and 3FA goes a stage further where the user needs to also provide their biometric data. 2FA and 3FA need appropriate integration within the SSO solution.

3FA is where some of the biggest advances can be made in improving identity governance. In the banking sector where there are so many different types of critical transactions that should only be approved by specifically authorised persons, the addition of a biometric factor can really start to change the game in terms of compliance, segregation of responsibilities and improvements in operational process.

So in summary to all this do not forget - a chain is only as strong as its weakest link...