cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

What Agencies Should Consider When Updating Password Protocols in 2018

Level 11

By Paul Parker, SolarWinds Federal & National Government Chief Technologist

It turns out that the lowest hanging fruit for hackers comes from user-generated passwords. According to the Verizon® 2017 Data Breach Investigation Report, 81% of hacking-related breaches were the result of a weak or stolen password.

What does this mean for federal agencies? It means that along with creating a sound security posture through a solid foundation of processes and tools, password security should be top of mind.

Creating a Solid Password

Users tend to create short, simple passwords or reuse passwords across multiple accounts. Or, they resort to common strategies like switching out every “a” for a “4,” every “e” for a “3,” and so on. The challenge here is that humans are not the ones guessing passwords; humans use machines to guess passwords. So, while the letter-replacement strategy may be difficult for humans to figure out, it’s simple for a computer.

What’s the solution, then? How can a federal IT security pro help ensure users create stronger passwords?

The National Institute of Standards and Technology (NIST) has been working for several years to provide updated rules and regulations for protecting digital identities. NIST published these new rules in June 2017. The overall theme of NIST’s guidance on passwords in particular is to keep it simple. Let users create long, easy-to-remember passwords without the complexity of special characters, and uppercase and lowercase letters. The use of a “pass-phrase” instead of a “password” is a key component to alignment with the new NIST recommendation.

Within the overall guidance, NIST provides the following basic guidelines that every agency can follow specifically for creating and protecting passwords.

First, do not rely on passwords alone for protection. Be sure end-users are taking advantage of all possible methods of protecting security—such as implementing multi-factor authentication.

Next, train users to have a better understanding of what a strong password looks like. Having a combination of uppercase and lowercase letters, numbers, and symbols is old thinking. A phrase with multiple unrelated words is a far better choice.

Ask users to adopt a passphrase password that would be difficult to hack based on its length and random combination of words, but can be easy to remember through a visual cue.

Third, be sure users are using different passwords for different accounts (banking, email, etc.). It is incredibly common for users to have the same password for multiple things; this is highly insecure and should be just as highly discouraged. Their government network password should not be the same one that they use in everyday life. This can limit the exposure should a breach occur.

Finally, encourage users to consider implementing a password management solution. A password manager generates and stores all user passwords—and any other security-related information, such as PINs, credit card numbers, or CVV codes—across all online accounts, in a single location. With a password manager, users need only remember one password. Easy.

In our federal environments, we aren’t lucky enough to simply grab a best-in-breed commercial password management solution. System architects and engineers should consider a business case for privileged access and password management at an enterprise level. There are many robust and approved ways to help keep the systems safe and secure. Hackers are creative, and IT teams should be too.

Creating a Foundation for Solid Passwords

While creating the password itself is ultimately the user’s responsibility, there are things that federal IT security pros can do. Start with the NIST guidance, ensure that your agency-specific policy is up to date, and implement proper controls and solutions to meet the established goals. Beyond password creation and protection, federal IT security pros should work with internal security teams to regularly scan the network and ensure proper compliance.

Be sure to have a solid security foundation, routine security awareness training, and implement testing and validation processes often as possible. Reducing your exposure and being proactive in addressing weakness will make your agency a far more difficult and less appealing target.

Find the full article on our partner DLT’s blog Technically Speaking.

13 Comments
Level 13

Good Article. First came across the idea of a phrase a number of years ago and it made a lot of sense. The numbers and special characters were always going to be simplified by real users.

Many challenges remain:

  • Teaching people how to create appropriate passwords:
    • Corporate security standards must be created
    • Policies must be created to ensure users are required to meet the standards
    • Passwords must meet corporate security standards
    • Corporate security standards must be tested and enforced for all users / accounts
    • Corrective actions / remediation must be used with users who do not comply with the standards / policies
  • Finding ways to create appropriate passwords that are still easily remembered and used by staff
    • Methods discussed for creating memorable and difficult passwords must remain confidential to prevent others from using/guessing passwords
    • Users must not be allowed to use example passwords, or simple variations on example passowrds
  • Where multiple passwords are required, ensuring users do not utilize easily hacked methods of recording them for easy access (e.g.: writing credentials on Post-It Notes and attaching them to monitors or hiding them under keyboards or in their top left drawer of the desk)
    • Corporations must provide and require one supported password safe, and users must be required to only use it and no other
  • Passwords must not change so frequently that users resort to unsecure methods of recording / accessing them  (e.g.:  Some of my systems' passwords change every thirty days; others change every six months.  Guess which ones are most likely to be recorded insecurely.)
  • Higher vulnerability access (i.e. through firewalls, from the Internet-to-Internal devices, to PCI or other highly desired environments) must use MFA or equivalent.
  • Solutions must be developed to prevent each leg of the "Security Stool" (1. Who you are.   2. What you know.  3. What you have.) from being digitized and put at risk of being shared / stolen.  Most specifically, the "Who you are" section.  "Who you are" means something unique to you--your fingerprints, retina pattern, DNA, etc.  Once you surrender that for corporate use as part of MFA, the info is digitally stored and potentially vulnerable to theft.  What will you do when someone has your retina pattern through the Internet and shares it to the world?  Get new retinas?  I think not.
MVP
MVP

Nice article

Level 10

Great article. The sad thing is, it all comes down to the human element. And that is where it always has, and unfortunately, always will fail. All of the training, lecturing, and threatening over how many years now hasn't produced the desired effect. Passwords continue to be weak.

Level 11

Well said. With that I know the DoD side is forcing to use 2FA for web logins, access to network devices with the use of 3rd party software for network admins and 2FA for workstations. I know the organizations have implemented the password creation where there is 1 upper case, 1 lower case, 1 number and 1 special character. Sometimes little twists are added like you can't have certain special characters or they cannot repeat like doing a !!. They also set up where you can't use the last 10 - 15 passwords that were created. Makes for a user headache but increases security.

What is the downside to that, users will write their passwords down on a piece of paper when passwords are required.

We humans are the weakest link.

Level 20

For us now password complexity is just part of the problem... we have to have two factor authentication right now which means having tokens for everything and it's a finding to not have everything two factor.

MVP
MVP

I for one love to haul around multiple token generators on my lanyard and then forget which goes for which access.  But if it allows for a shorter password or one that doesn't change every 36 hours, then I will gladly wear a string of hardware tokens around my neck like a Hawaiian lei.

Level 20

Actually windows default is it remembers the last 24 passwords.  For systems that still require a password I have a system and I do eventually reuse passwords but only after like 99 others have passed by...

Level 14

Good stuff there.  Interesting to note that the guy responsible for us using combinations of upper case, lower case, numbers, special characters and letter/number swaps has come out and said he was wrong and that made it easier for accounts to be hacked.  Unusual to find an industry 'expert' admitting a mistake.

The man responsible for passwords says advice was wrong | Daily Mail Online

MVP
MVP

The balance between what a user can remember and something difficult to crack has always been the tricky part of passwords. The key seems to keep users aware of the changes and keep them thinking of security not just convenience. As mentioned in the article letter replacement used to be a good idea, but not any more. I remember a time when a 6 character password was considered good. We have to break away from old thinking and stay on the front of what it takes to maintain a secure environment.

As a tip - Great Customer Service - this is what will keep your users interested in listening.

Level 13

How about an embedded chip in your arm that unlocks your computer.  O ya also the government can track you too.  Everything is hackable 

Level 14

I must admit that this has been an area I've struggled with for some time now.  Not in the sense that I have used "1234" or something that silly, but I've used the same variations forever now.  Very interesting article petergwilson​!

Level 11

Passphrases!

About the Author
Paul Parker, a 25-year information technology industry veteran, and expert in Government. He leads SolarWinds’ efforts to help public sector customers manage the security and performance of their systems by using technology. Parker most recently served as vice president of engineering at Infoblox‘s federal division. Before that, he served in C-level or senior management positions at Ward Solutions, Eagle Alliance and Dynamics Research Corp.