stawart.com

http://www.ecomagination.com/earthscraper-concept-takes-sustainable-design-underground

Repel those old school best practice junkies!

If you read about the studies on security incidents, 80% are caused by internal staff and this really needs to be kept in mind when exploring this topic. Risk management philosophies will suggest you cannot prevent all risks so you have to focus one most common ones or more specifically, ones that put you at highest risk. Translated then, with respect to password security, the focus must be for us to create and install password standards strong enough to keep from guessed or quickly being brute forced but the biggest focus is that passwords need to be simple enough to keep people from writing them down.

We need to install password controls for our users which protect people from themselves but balance humanities limited abilities to remember things without writing them down.

My suggestions are:

1. Allow user and go so far as to encourage them to use the SAME password on systems Why: To improve security of our world, you must take into account humanity or at least consider what 90% (or at least 50%) of the world is capable of technically or from a environment perspective. Lets face it, most of the people outside of IT see the endless pile of access accounts and passwords as job creation for IT people. The remaining people have no knowledge at all as to the risk the they are creating for themselves, us or their employers. The knee jerk reaction from the typical IT person is that we need to protect people from themselves for their own good and I agree – somewhat!
2. Make your passwords and setup your systems to require 7 char or longer (to infinity keeping in mind some systems limit this). Sentences are a great idea. However a password that is mandated too long will ensure people struggle to come up with a password and if they struggle to think of a password, they will struggle to remember it.  If they struggle to remember it, they will write it down.  Bad.
3. Require “strong” passwords. This to me means defined by me as requiring upper/lower/symbol.  Do not get more complicated such as disallowing a number at the front or behind.  This again ensures that the password will be hard to remember again.
4. Purchase or build systems that use pass thru authentication (or get rid of passwords and move biometrics or some other 2 factor based solution)
5. If you work at a company/corporation and build systems, try to use central password directories such as AD or some other federated system. This makes it easy for people as they will have less passwords to remember and you still have control of what they see by installing role based authorization.
6. DO NOT activate password rotation despite what the security propeller-heads, and robots say at SANS etc.  Think of your bank; do you HAVE to change your PIN with them?????  The key here is that you have to get people to treat their password like a PIN and protect it.  Only encourage people change their password if they are worried that it may be compromised. If you must turn on rotation due to audit or regulatory compliance, ensure that all your password directories for all of your system password expire all at the same time for a user so that they change their passwords in one fell swoop again minimizing the chance that they need to write them down

What IT professionals need to realize is that our users cannot relate to malware zombies that steal passwords and have no capacity to remember the myriad of usernames and password combinations we submit them to. We need to disregard old school theories around security that suggest all password “best practices” need to be turned on and set to the max. All we do is ensure that people, including many of us reading these articles wil be compelled to write them down submitting themselves to potential internal incidents which are far more likely. Finally, we must educate our less technical people around us that there are real risks out there but also spend time to show them how they can fall victim to the risks and explain what they can do with simple behaviour to save their skin.