Safeguard Your Organization with Proper Password Management

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

Access control is one way to ensure security in your organization. An intruder can break into your network by compromising accounts with weak passwords. If the compromised account turns out to be a privileged account, or if the intruder escalates privileges, then you may face significant damage to your IT systems.

The first step to prevent such attacks is to ensure your organization’s security policies and procedures incorporate strong and comprehensive account and password management processes. A password undergoes certain states of existence, with owners for each state, who are involved in handling those states. These are:

Account creation
Change management body
Password selection or changing default password
Change password after nth day
Auto password expiry
Auditing systems for weak password
Auditors / Tools / System admin / Security manager

The different stages in password management are: creation, administration and review / auditing. Here are the recommended best practices to ensure comprehensive password management.

Using a strong password
A password must be *strong enough* so that it cannot be easily breached by brute-force or dictionary attacks. The selection of a strong password involves criteria such as the usage of alpha-numeric character sets along with upper and lower case alphabets and the use of special characters. On the other hand, insisting on highly complex passwords may well result in users having problems with remembering these passwords.

Ensure your IT security team and security managers make users aware of the reason behind strong and complex passwords and teach users ways of remembering complex passwords. Functionally, we can surmise the complexity of a password is a function of the length of password and number of character sets available to create that password.

Password complexity = f (length, character set).

Password expiry
Even with a complex password, you could still be at risk. Today’s clustered computing environment could well break your password in a few days or weeks at the most. It is always recommended to change your password after a certain number of days. If you change passwords at a frequency of 30 days and if an intruder works on your password hash and is able to crack it in 45 days, you are still secure as you have changed your password to another strong password, ahead of the intruder.

Limit number of login attempts
At any point of time, an account could undergo password cracking attacks. In such attacks, the attacker uses scripts or tools and tries to use brute-force or dictionary attacks against specific or some users. To guard against such attacks, the authentication system must limit the user to a certain number of (failed) login attempts, after which the account should be locked out. The disadvantage of this approach would be a genuine user not being able to login if somebody is really trying to break into his account.

Remember historical passwords
Users have a tendency to repeat their passwords in many accounts and repeat it while being prompted to change passwords. The downside of keeping the same password for a long time can lead to the compromise of the user account. It is recommended that your IT security setup should prevent users from keeping the same passwords for at least 3 to 5 password resetting operations.

Show last successful login
One way to create transparency among the users regarding their account would be to give them details of when they last logged into the system or network. This would help them analyze their own account. At least 3 previously successful logins must be displayed with time, date and duration of login. If a user suspects the account has been misused by somebody, the user should log a security incident with the IT security team, and the IT security team should audit this breach.

Store passwords in encrypted form
If passwords are stored on the local disk or transferred over a network, they must be under secure communication channels. This would offer protection against password sniffing and cracking attacks.

Enable ticketing system for password resets
Today, many organizations manage password reset requests via ticketing systems. In a ticketing system, after getting authenticated, user should be in a position to log a ticket for password resets. Authentication is very important while filing such requests, to ensure that a malicious user cannot set up a reset request for an unauthorized account. Such tickets must be logged for further analysis and reference.

Practice password auditing
Automated tools or open source password crackers can be very useful in auditing passwords. An organization will face a major security risk if the accounts of senior associates or critical users have been compromised. Performing password audits will provide clarity on the efficiency of the password management policies.

Reporting and closure reports
Providing reports on weak passwords, password resets and change of password to users along with security managers is very useful. Reports have always added value in showing the existence of such incidents and tracking them to closure in order to make organization more secure and ready for audits.

Security awareness
Even with the best set of policies, there’s always a chance that passwords can be compromised. Sharing passwords with others, writing down complex passwords on a Post-It, social engineering and man-in-the-middle attacks are just some of the “password harvesting’ techniques. Sadly though, these issues are ignored by users and will lead to compromise of these strong passwords. It is important that users be aware of such techniques, therefore your IT security team should conduct regular user awareness sessions and include possible attacks and attack scenarios in order to make everyone aware of common pitfalls.