Passwords are used in many ways to protect data, systems and networks. They are used to authenticate users of operating systems (OS) and applications such as email, work recording and remote access. Passwords are also used to protect files and other stored information, such as password protection of a single compressed file, a cryptographic key, or an encrypted hard drive. In addition, passwords are often used in less visible ways; for example, a biometric device can generate a password based on a fingerprint search, and that password is then used for authentication.
Effective password management reduces the risk of compromise for password-based authentication systems. Organizations must protect the confidentiality, integrity and availability of passwords so that only authorized users can use passwords successfully as needed. Integrity and accessibility should be ensured with typical data security checks, such as using access checklists to prevent attackers from overwriting passwords and having secure backups of password files.
Ensuring that passwords are confidential is significantly more challenging and involves a number of security checks along with decisions that include the properties of the passwords themselves. For example, requiring passwords to be long and complex makes it less likely for attackers to guess or crack them, but it also makes passwords more difficult to remember. This increases the likelihood that users will store their passwords in an insecure manner and expose them to attackers.
Organizations should be aware of the disadvantages of using password-based authentication. There are many types of password threats, and most of these threats can only be partially mitigated. In addition, users are burdened by memorizing and managing an ever-increasing number of passwords. Although the existing password management mechanisms can alleviate this burden, they each have significant usability disadvantages and can also cause more serious security incidents as they allow access to many systems via a single authenticator. Therefore, organizations should make long-term plans to replace or supplement password-based authentication with stronger forms of authentication for resources with higher security needs.
Organizations should make long-term plans to replace or supplement password-based authentication with stronger forms. authentication for resources with higher security needs.
Authentication can mean something that the user knows (such as a password), something that the user has (such as a smart card) or something that the user "is" (such as a fingerprint or voice pattern). One-factor authentication uses only one of the three forms of authentication, while two-factor authentication uses two of the three forms and three-factor authentication uses all three forms.
Using multiple factors makes it more difficult for someone to gain unauthorized access to the system ̵
Protecting Your Passwords
Organizations should implement the following recommendations to protect the confidentiality of their passwords:
- Create a password policy that sets all of your organization's password management requirements. Password management related requirements include storage and transfer of passwords, password composition and password issuance and recovery procedures. In addition, organizations should also consider applicable mandates (such as the Federal Information Security Management Act of 2002 (FISMA)), rules and other requirements and guidelines related to passwords. An organization's password policy should be flexible enough to accommodate different password features provided by different operating systems and applications. Organizations should regularly review their password policies, especially as major technical changes occur (such as new operating systems) that may affect password management.
- Protect passwords from password-catching attacks. Attackers can capture passwords in several ways, each requiring different security checks. For example, attackers may try to access hosted OS and application passwords, so such passwords should be stored using additional security controls, such as restricting access to files that contain passwords and storing one-way cryptographic hash of passwords instead of the passwords themselves. Passwords transmitted over networks should be protected from sniffing threats by encrypting the passwords or communications containing them or by any other appropriate means. Users should be made aware of threats to their knowledge and behavior, such as phishing attacks, keystroke loggers and shoulder surfing, and how to respond when they suspect an attack may occur. Organizations must also ensure that they verify the identity of users who try to recover a forgotten password or reset a password, so that a password is not accidentally provided to an attacker.
- Configure password mechanisms to reduce the likelihood of successful passwords. guess and crack. Password guessing attacks can be easily mitigated by ensuring that passwords are sufficiently complex and by limiting the frequency of authentication attempts, such as having a short delay after each failed authentication attempt or locking an account after many unsuccessful attempts. Password hacking attacks can be mitigated by using strong passwords, choosing strong cryptographic algorithms and implementations for password hashing, and protecting the confidentiality of password hashes. Changing passwords regularly also reduces the risk of cracks somewhat. Password strength is based on several factors, including password complexity, password length, and user knowledge of strong password properties. Organizations should consider what factors can be enforced when setting password strength policy requirements, and whether or not users will need to memorize passwords.
- Determine the password output requirements based on balancing security needs and usability. Many organizations implement password exit mechanisms to reduce the potential impact of unauthorized password use. This is advantageous in some cases but ineffective in others, for example when the attacker can compromise with the new password through the same keylogger used to capture the old password. Password output is also a source of frustration for users, who often have to create and remember new passwords every few months for dozens of accounts, and therefore tend to choose weak passwords and use the same few passwords for many accounts. Organizations should consider several factors when determining password exit requirements, including the availability of secure storage for user passwords, the level of password threats, the frequency of authentication (daily versus annual), the strength of password storage, and the effectiveness or inefficiency of password exit cracking. .
Organizations should consider having different password exit policies for different types of systems, operating systems and applications to reflect their different security needs and usability requirements.
Let Us Help You
Passwords are extremely susceptible to theft and are likely to protect almost every aspect of your organization. Contact CoverLink Insurance experts for more resources to protect your computer systems and networks from thieves.