As our friends at XKCD have stated, "Through 20 years of effort, we have successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." Password strength has been reduced to p@$$wOrd123.
As a vendor in the password management space, I guess we should be thankful. We are able to offer self service password reset, password synchronization, federated single sign-on and make a healthy living because of it. And users are still going to be using p@$$wOrd123 but at least you can mitigate this security risk with a properly designed identity and access management (IAM) system.
Here are the things you can do from an IAM perspective:
- Two factor authentication(2FA): for high security resources and applications, force 2FA. Make a user have a cell phone or biometrics in addition to the password.
- Identity proofing: make the user answer questions that only they would know in addition to the password.
- Device registration: check to see if they are on a company-owned device before authenticating; if not, send it for approval.
- One time passwords (OTP): when the user attempts to access an application, send an OTP to a secure email address (note: this doesn't work with authenticating into the network as that is where the email is :) ).
All of these are great solutions but the easiest and most effective fix you can do to ensure the best password strength: password length. Make your password policy a minimum of 20 characters and stop forcing upper case and special characters and numbers. Heck, make it 25 characters or 30.
But, how is a user going to remember that if they can't remember p@$$wOrd123? Easy, it's a sentence. It doesn't violate the dictionary rules because it's a lot of words strung together and it's probably a quote the user remembers anyway. Some to think about:
- franklymydearIdontgiveadamn
- Iknowitiswetandthesunisnotsunnybutwecanhavelotsofgoodfunthatisfunny
- itwasthebestoftimesitwastheworstoftimes
- allinallitisjustanotherbrickinthewall
- pleasenoteihaveneverusedanyofthese
Password length in and of itself doesn't guarantee security. The best hacking programs can crack any password (especially one with words in it) very quickly. But if you have a good lockout policy and, even better, two factor authentication, you can keep security very high and allow users to remember their passwords.
Password resets take up a huge amount of your help desk resources, some estimate one third of all calls are password related. You cannot compromise security to reduce those calls so you have to do something. I, of course, recommend self service password reset or federated single sign on with EmpowerID but at a minimum, or even in conjunction with, consider a higher level of password strength.
The best password strength is not always the most complicated....wait, that sentence would make a good password.
Tags: Password management
