Passwords are used in many ways to protect data, systems and networks. They are used to authenticate users of operating systems (OS) and applications such as email, work recording and remote access. Passwords are also used to protect files and other stored information, such as password protection of a single compressed file, a cryptographic key, or an encrypted hard disk. In addition, passwords are often used in less visible ways; for example, a biometric device can generate a password based on a fingerprint scan, and that password is then used for authentication. But does your company have effective password management?
Effective password management reduces the risk of compromises with password-based authentication systems. Organizations must protect the privacy, integrity, and accessibility of passwords so that only authorized users can use passwords successfully as needed. Integrity and accessibility should be ensured through typical data security checks, such as using access checklists to prevent attackers from overwriting passwords and having secured backups of password files.
Ensuring that passwords are confidential is significantly more challenging and requires a number of checks along with decisions that include the properties of the passwords themselves. For example, requiring passwords to be long and complex makes it less likely that attackers will guess or crack them, but it also makes passwords more difficult for users to remember. This increases the likelihood that users will store their passwords insecurely and expose them to attackers.
Organizations should be aware of the disadvantages of using password-based authentication. There are many types of password threats, and most of these threats can only be partially mitigated. In addition, users are burdened with memorizing and managing an increasing number of passwords. While existing company password management mechanisms can alleviate this burden, they all have significant usability disadvantages and can also cause more serious security incidents as they allow access to many systems through a single authentication. Therefore, organizations should make long-term plans to replace or supplement password-based authentication with stronger forms of authentication for resources with higher security needs.
Organizations should make long-term plans to replace or supplement password-based authentication with stronger form authentication for resources with higher security needs.
Authentication can mean something the user knows (eg a password), something the user has (eg a smart card) or something the user "is" (eg a fingerprint or voice pattern). One-factor authentication uses only one of the three forms of authentication, while two-factor authentication uses two of the three forms and three-factor authentication uses all three forms.
Using multiple factors makes it more difficult for someone to gain unauthorized access to the system ̵
Protecting Your Passwords
Organizations should implement the following recommendations to protect the privacy of their passwords:
- Create a password policy that specifies all of your organization's password management requirements. Password management related requirements include storage and transfer of passwords, password composition and password issuance and recovery procedures. In addition, organizations should also take into account applicable mandates (eg the Federal Information Security Management Act of 2002 (FISMA)), regulations and other requirements and guidelines related to passwords. An organization's password policy should be flexible enough to accommodate the different password features provided by different operating systems and applications. Organizations should review their password policies regularly, especially when major technical changes occur (such as a new operating system) that may affect password management.
- Protect passwords from password-catching attacks. Attackers can capture passwords in several ways, each requiring different security checks. For example, attackers may try to gain access to hosted OS and application passwords, so such passwords should be stored with additional security controls, such as restricting access to files containing passwords and storing one-way cryptographic hashes of passwords instead of the passwords themselves. . Passwords transmitted over networks should be protected against snus threats by encrypting the passwords or communications that contain them, or by any other appropriate means. Users should be made aware of threats to their knowledge and behavior, such as phishing attacks, keystroke logs and shoulder surfing, and how to react when they suspect an attack may occur. Organizations must also ensure that they verify the identity of users attempting to recover a forgotten password or reset a password, so that a password is not accidentally provided to an attacker.
- Configure password mechanisms to reduce the likelihood of a successful password guess and crack. Password guessing attacks can be easily reduced by ensuring that passwords are sufficiently complex and by limiting the frequency of authentication attempts, such as having a short delay after each failed authentication attempt or locking an account after many consecutive failed attempts. Password cracking attacks can be mitigated by using strong passwords, choosing strong cryptographic algorithms and implementations for password hashing, and protecting the privacy of password hashes. Changing passwords at regular intervals also reduces the risk of cracks somewhat. The strength of the password is based on several factors, including password complexity, password length and user knowledge of strong password properties. Organizations should consider what factors are enforceable when setting password strength policy requirements, and whether or not users will need to remember passwords.
- Determine requirements for the password output based on balancing security needs and usability. Many organizations implement password exit mechanisms to reduce the potential impact of unauthorized password use. This is advantageous in some cases but ineffective in others, for example when the attacker can compromise the new password through the same key logger used to capture the old password. Password outflow is also a source of frustration for users, who often have to create and remember new passwords every two months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts. Organizations should consider several factors when determining password exit requirements, including the availability of secure storage for user passwords, the degree of threat to passwords, the frequency of authentication (daily versus annual), the strength of password storage, and the effectiveness or inefficiency of passwords. cracks.
Organizations should consider having different password exit policies for different types of systems, operating systems and applications to reflect their varying security needs and usability requirements.
Let us help you
Passwords are extremely susceptible to theft and are likely to protect almost every aspect of your organization. Contact the experts at CoverLink Insurance for more resources to protect your computer systems and networks from future thieves and make sure you have the right liability protection.