So a number of people I know professionally and personally have been sending around the XKCD password comic and chuckling about how silly the security people are that think people should have to remember complex passwords.
Here is the comic
http://xkcd.com/936/
Okay - now comics aside if you want to approach this problem like most enterprises have had to you need to know a few key things about your environment:
1 - What types of passwords do your key applications support? (unless your environment is one of the rare ones that require that a central authentication system is used, each application presents new an potentially unique authentication challenges). Check to see if your applications support SSO or centralized authentication (LDAP, Windows Domain, etc.), check to see what type of complexity the application supports (does the application allow you to use only letters? does it allow you to use mixed case? does it support numbers or special characters?).
2 - Two factors are better than One - Three is even better. - The recent RSA intrusion aside, multi-factor authentication is still a very good idea, the challenges here are - cost (this one often trumps the usefulness of the multi-factor authentication unless you can demonstrate the risk outweighs the cost, or if you can use one token/solution for multiple applications), does the application support multi-factor authentication? What factors does it support (password token only? or can it support certificates? how about biometric?). Even if you are using multi-factor authentication you should still maintain a vigilant monitoring program. You can often determine a compromise by looking for unusual user behavior and the usual controls should still be applied to passphrase strength and complexity.
3 - Do you provide your employees with a secure place to store passwords? it's an unfortunate reality that in many environments employees have far too much going on to be able to manage multiple secure passwords and their day job. Many security organizations turn a blind eye to the post-it notes and password list files on people's desktops (physical and virtual). This of course is a very real risk, that someone could gain access to these passwords and then exploit them. Some environments have provided password vaults or secure password storage for their employees so they can manage all of the passwords. Often these systems themselves will require a more robust (multi-factor) authentication method. I'm curious if anyone has done this and might have some good news to share, or examples of some of the challenges of this approach.
Regardless of your environment, passwords are here to stay - it's best to educate your developers on how to provide secure authentication options, and educate your users on best practices. Passphrases aren't new, and while they can be easier to use they don't remove the requirement of complexity. Unfortunately many password attacks will look for English language words first (dictionary attack) so the premise that a four word passphrase is stronger than a complex password (using 3 or 4 difference types of characters) doesn't really work.
Here is the comic
http://xkcd.com/936/
Okay - now comics aside if you want to approach this problem like most enterprises have had to you need to know a few key things about your environment:
1 - What types of passwords do your key applications support? (unless your environment is one of the rare ones that require that a central authentication system is used, each application presents new an potentially unique authentication challenges). Check to see if your applications support SSO or centralized authentication (LDAP, Windows Domain, etc.), check to see what type of complexity the application supports (does the application allow you to use only letters? does it allow you to use mixed case? does it support numbers or special characters?).
2 - Two factors are better than One - Three is even better. - The recent RSA intrusion aside, multi-factor authentication is still a very good idea, the challenges here are - cost (this one often trumps the usefulness of the multi-factor authentication unless you can demonstrate the risk outweighs the cost, or if you can use one token/solution for multiple applications), does the application support multi-factor authentication? What factors does it support (password token only? or can it support certificates? how about biometric?). Even if you are using multi-factor authentication you should still maintain a vigilant monitoring program. You can often determine a compromise by looking for unusual user behavior and the usual controls should still be applied to passphrase strength and complexity.
3 - Do you provide your employees with a secure place to store passwords? it's an unfortunate reality that in many environments employees have far too much going on to be able to manage multiple secure passwords and their day job. Many security organizations turn a blind eye to the post-it notes and password list files on people's desktops (physical and virtual). This of course is a very real risk, that someone could gain access to these passwords and then exploit them. Some environments have provided password vaults or secure password storage for their employees so they can manage all of the passwords. Often these systems themselves will require a more robust (multi-factor) authentication method. I'm curious if anyone has done this and might have some good news to share, or examples of some of the challenges of this approach.
Regardless of your environment, passwords are here to stay - it's best to educate your developers on how to provide secure authentication options, and educate your users on best practices. Passphrases aren't new, and while they can be easier to use they don't remove the requirement of complexity. Unfortunately many password attacks will look for English language words first (dictionary attack) so the premise that a four word passphrase is stronger than a complex password (using 3 or 4 difference types of characters) doesn't really work.
Comments