As technology continues its growth, we are experiencing the ever-increasing reliance on IT across all industries – defence being no exception. But with this dependency, there are serious security concerns; one such concern is passwords.
Many security experts have predicted that by the middle of this decade, passwords will become a thing of the past. Yet, here we are well into the last half of this decade with passwords still playing an essential role in unlocking everyday technological tools at work and at home.
So, rather than becoming obsolete, the use of passwords has risen over the years, mainly due to the surge of online services and the speedy adoption of technology in the workplace. But the underlying reasons for this climb can be attributed to the ease of implementation and the low-cost factor for many organisations.
This acceleration of password use, along with the security policy to set complex passwords has placed an unrealistic demand on most users, resulting in what is termed “password overload”. This sort of overload causes users to look for an easy solution to this issue by writing down passwords, reusing passwords, and even applying simple and predictable password-generation strategies like date of birth, address, and a pattern of keys on the keyboard. This sort of behaviour places systems in a vulnerable position to attacks, which often leads to grave security losses.
Now, since passwords are still the main authentication method being used in government, military and throughout industries today, what should an organisation consider when defining its password policy?
One strategy according to Ciaran Martin, Director General for Cyber Security at the Government Communications Headquarters (GCHQ) in the UK is “simplifying your organisation’s approach to passwords.” Writing in a paper entitled “Password Guidance: Simplifying Your Approach” that was released in 2015, Martin went on to explain that the results of this approach will “reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.”
As a British intelligence and security organisation, GCHQ is responsible for rendering signals intelligence (SIGINT) and information support to the British government and armed forces. Working jointly with the Centre for the Protection of National Infrastructure (CPNI) in the UK, GCHQ produced a password guide which describes a few key areas that organisations need to consider when creating a password policy. For organisations looking to revise or create a new password policy, this is a good starting point to assist in keeping systems secure.
The first area is to ensure that all default passwords are changed prior to deployment. As elementary as this sounds, there have been cases where default passwords were not changed for many devices used by organisations. One case was highlighted by the Carna Internet Census which found in 2012 “several hundred thousand unprotected devices on the Internet.” This apparent oversight leaves crucial infrastructure unsecured and open to malicious intrusion. To combat this lapse, set a plan to change all default passwords before deployment and perform regular checks for unchanged default passwords.
Another area is to help users cope with password overload. Today, we have an abundance of passwords that we are responsible for; to cope with this volume, the paper recommends using passwords only where needed and avoiding systems with no security requirements. The use of technical solutions like single sign-on and password synchronisation should be considered to reduce overload. Further, allow users to securely record and store their passwords, and avoid setting a policy to change passwords at intervals – this places a burden on users who are likely to choose passwords that are just a variation of the old. Only ask users to change their passwords on indication or suspicion of compromise. Finally, never allow or tolerate password sharing.
Understanding the limitations of user-generated and machine-generated passwords is another key area to consider. It is quite common for users to reuse passwords between work and personal devices. This should be strictly avoided. Machine-generated passwords, on the other hand, are very difficult for users to remember, which increases the possibility of resets and insecure storage. The paper recommends using passphrases like four random dictionary words and even giving users a choice of passwords so they can find one that is easy to remember.
Prioritising administrator and remote user accounts is another critical key in defining a password policy. Administrator accounts should not be used daily; these personnel should have standard accounts for normal business use. This lowers the risk of a compromise to the whole system which administrators control. For remote users, a two-factor authentication policy is recommended which provides a second layer of security.
Another vital aspect to consider is to is implementing account lockout and protective monitoring. Configure your password systems to allow only a limited number of attempts or a time delay between login attempts to defend against brute force attack.
Lastly, don’t store passwords in plain text format. If passwords are to be kept in a written format, use encryption and add a layer of protection to those files.
The areas highlighted in the report from the GCHQ and CPNI are just a guide and not an exhaustive list. Nevertheless, this is a good start to build a sound password policy.