Using passwords as a primary means of authentication for account logins is not going away soon. Despite the work being done to bring in other authentication mechanisms, passwords are here to stay – at least for the near future.
We don’t use passwords because they’re the most secure option today; we use them because they’re convenient and cheap compared to the cost of massive deployments of biometric devices or other infrastructure.
That makes it important to continue improving the security, convenience and cost of how we use passwords. Here are three ways information technology teams can improve the security by simply shoring up how they handle password resets – a small slice of the password operations ecosystem.
Assess the frequency of password resets. A long-standing best practice for password use has been a mandatory password change every 90 days. The logic was that if you were compromised, at least the unauthorized user would be locked out within a 90-day period as your credentials are updated. Research has shown that frequent mandatory changes can lead to weaker passwords that are easily cracked – within seconds.
It’s possible that less frequent changes would prompt employees to create stronger, yet memorable, passwords from the start, thus improving security.
Verify, verify, verify the user. At some point, everyone forgets their password or gets locked out of their account and has to engage the IT team. For service desk team members, calls like this put you in the hot seat. You often have a desperate user on the line (or on instant messenger), but you also need to maintain strict protocols for ensuring the caller is who he or she claims to be.
This is the time to put a variety of mechanisms in place to help you be absolutely certain you’re resetting the password for the account owner. Security questions with answers that can’t be guessed, or easily social engineered or found online in other places are good options. This summary of Mat Honan’s experience, the technology writer who was hacked, shows the importance of user verification.
Incorporate automation and self-service. Cheap doesn’t mean password use comes without cost. For a company of 1000 employees working 2000 hours a year and calling the service desk 1.2 times a year for password resets, the cost could be half the average employee’s annual salary – tens of thousands of dollars, at least. And what about the consumers who need to reset their passwords? If those come into the mix, password resets would be a huge line item on any IT budget.
By safely incorporating automation and password reset self-service, you can cut the cost of password management and keep customers happy.
At ZZ Servers, we know these and other password security measures are critical and incorporate the best practices for our customers and ourselves. For additional information, Carnegie Mellon University has published Guidelines for Password Management for its students, faculty and staff, which contains additional guidelines for those employees who are responsible for IT administration.