By Paul Parker, SolarWinds Federal & National Government Chief Technologist
It turns out that the lowest hanging fruit for hackers comes from user-generated passwords. According to the Verizon® 2017 Data Breach Investigation Report, 81% of hacking-related breaches were the result of a weak or stolen password.
What does this mean for federal agencies? It means that along with creating a sound security posture through a solid foundation of processes and tools, password security should be top of mind.
Creating a Solid Password
Users tend to create short, simple passwords or reuse passwords across multiple accounts. Or, they resort to common strategies like switching out every “a” for a “4,” every “e” for a “3,” and so on. The challenge here is that humans are not the ones guessing passwords; humans use machines to guess passwords. So, while the letter-replacement strategy may be difficult for humans to figure out, it’s simple for a computer.
What’s the solution, then? How can a federal IT security pro help ensure users create stronger passwords?
The National Institute of Standards and Technology (NIST) has been working for several years to provide updated rules and regulations for protecting digital identities. NIST published these new rules in June 2017. The overall theme of NIST’s guidance on passwords in particular is to keep it simple. Let users create long, easy-to-remember passwords without the complexity of special characters, and uppercase and lowercase letters. The use of a “pass-phrase” instead of a “password” is a key component to alignment with the new NIST recommendation.
Within the overall guidance, NIST provides the following basic guidelines that every agency can follow specifically for creating and protecting passwords.
First, do not rely on passwords alone for protection. Be sure end-users are taking advantage of all possible methods of protecting security—such as implementing multi-factor authentication.
Next, train users to have a better understanding of what a strong password looks like. Having a combination of uppercase and lowercase letters, numbers, and symbols is old thinking. A phrase with multiple unrelated words is a far better choice.
Ask users to adopt a passphrase password that would be difficult to hack based on its length and random combination of words, but can be easy to remember through a visual cue.
Third, be sure users are using different passwords for different accounts (banking, email, etc.). It is incredibly common for users to have the same password for multiple things; this is highly insecure and should be just as highly discouraged. Their government network password should not be the same one that they use in everyday life. This can limit the exposure should a breach occur.
Finally, encourage users to consider implementing a password management solution. A password manager generates and stores all user passwords—and any other security-related information, such as PINs, credit card numbers, or CVV codes—across all online accounts, in a single location. With a password manager, users need only remember one password. Easy.
In our federal environments, we aren’t lucky enough to simply grab a best-in-breed commercial password management solution. System architects and engineers should consider a business case for privileged access and password management at an enterprise level. There are many robust and approved ways to help keep the systems safe and secure. Hackers are creative, and IT teams should be too.
Creating a Foundation for Solid Passwords
While creating the password itself is ultimately the user’s responsibility, there are things that federal IT security pros can do. Start with the NIST guidance, ensure that your agency-specific policy is up to date, and implement proper controls and solutions to meet the established goals. Beyond password creation and protection, federal IT security pros should work with internal security teams to regularly scan the network and ensure proper compliance.
Be sure to have a solid security foundation, routine security awareness training, and implement testing and validation processes often as possible. Reducing your exposure and being proactive in addressing weakness will make your agency a far more difficult and less appealing target.
Find the full article on our partner DLT’s blog Technically Speaking.