‘Experts’ have been foreshadowing the demise of the password for at least a decade. Nevertheless, and despite the advent of other secure authentication methods, password use has only increased.
The surge in password use is largely down to an increase in online and cloud services, including in the government and public sectors. Passwords are a straightforward (and cheap) security measure, and the attractiveness of password-based systems over other authentication measures is easy to see.
However, this unchecked proliferation of passwords has caused users to become overloaded with the sheer number of credentials they are required to remember. This password overload leads users to do the things that every IT professional tells them never to do: write passwords down, use simple or predictable passwords or, reuse passwords across different systems. Sorry, if you’re an IT professional – we know that made you cringe.
So, what can you do to protect your password-based systems?
1. Change the default passwords
In 2012, best estimates were that there were “several hundred thousand” devices connected to the internet still using the default administrator password. Now, in 2018, the total is likely to be many times that. Changing the default password is a simple, easy, and essentially free way to stop anyone on the internet from accessing your network. In your organisation, ensure that changing the default password on new devices is standard practice, and conduct regular audits of your network to look for unchanged passwords.
2. Let users write their passwords down.
Well, okay, not quite. But allow them to use password managers. In fact, mandate it. Typical users will have at least 22 passwords to remember – an impossible task without resorting to simplification or reuse. Providing a secure, officially – sanctioned way for users to keep track of their passwords means no more password overload, which means more secure passwords.
3. Stop asking users to change passwords.
Many organisations have historically asked users to change their password every 30, 60, or 90 days. Leaving aside the fact that this only causes more overload for users, it’s not very effective as a security system either. Long-term illicit use of passwords is better tackled by monitoring the network for unauthorised or unusual patterns of access and warning users so that at-risk passwords can be changed.
4. Sharing Passwords – No, no, no, no, no!
Explicitly prohibit the sharing of passwords. Not only is it inherently insecure, but it completely removes your ability to monitor or audit use. Instead, if there is a genuine need for staff to have rapid and emergent access to systems, consider alternatives to passwords such as RFID-badges.
5. Password Strength
Good passwords are difficult for both humans and computers to guess and many password strength meters are not good at dealing with these competing priorities. For more on what makes a great password, and what doesn’t, consult the NCSC’s guidance at https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach or contact us now for specialist advice.