Face It, Password Policies and Managers Are Not Protecting Users
Passwords haven’t worked as a solid security strategy in a long time. The policies are there, so why are passwords security’s weak spot?
If you use a computer, you probably already know this: Passwords are failing at protecting users.
“Passwords as a security strategy are dead,” said David Maynor, senior director of threat intelligence with Cybrary.
Passwords haven’t worked as a solid security strategy in a long time. Stolen credentials have long been a favorite attack vector for cybercriminals — they can get a lot of mileage out of a single password.
You don’t have to be a malicious actor to see how easy it is to use a password beyond its intended use. Even advice columnists are getting questions about password sharing and the ability to access multiple accounts without permission.
The use of passwords, however, is not the problem. It is the lack of protection around passwords themselves that leave them vulnerable.
The National Institute of Standards and Technology (NIST) created standards for password policy. There are password managers that are supposed to break users of their worst habit—reusing passwords.
But passwords continue to be misused, stolen and abused. The policies are there, so why are passwords security’s weak spot?
The NIST Password Standard
NIST Special Publication 800-63B Digital Identity Guidelines offers best practices for password lifecycle management, as well policy standards for other authentication methods. The guidelines for password management are straightforward:
Check passwords against breached password lists
Block passwords contained in password dictionaries
Prevent the use of repetitive or incremental passwords
Disallow context-specific words as passwords
Increase the length of passwords
Updates to the NIST framework have gotten rid of two old methods of password management: no more requirements to change passwords on a regular basis, which some believe is counterproductive; and no more complex passwords that must include a mix of upper and lower case letters, numbers, and symbols.
“The NIST password guidelines should be the baseline within the bigger picture of digital identities and authentication lifecycle management,” said Timothy Morris, chief security advisor at Tanium.
NIST frameworks serve as a baseline for overall cybersecurity systems for many organizations. The guidelines have been downloaded more than 1.7 million times and 16 sectors within the critical infrastructure rely on the framework.
Password Managers
Not having to create new, unique passwords every 90 days is a relief, but the NIST guideline to prevent the use of repetitive passwords is still a burden. It’s impossible to remember dozens of different passwords, and users are often discouraged from writing down their passwords.
The solution for many is to use a password manager.
“In a corporate environment, password managers not only enhance security but also optimize productivity,” said Teresa Rothaar, governance, risk, and compliance (GRC) analyst at Keeper Security.
Password managers allow IT administrators to control user password practices and enforce policies.
“Meanwhile, help desk personnel aren’t bogged down with password-reset tickets, and employees aren’t stuck in holding patterns due to lost or forgotten passwords,” Rothaar said.
Read the complete article on our sister site Cybersecurity Dive.
About the Author
You May Also Like