Every time a data breach hits the headlines it is accompanied with calls for organisations to find ways to better manage passwords, misguided advice on how to make them stronger, or suggestions for alternatives. The move away from password-based login credentials is for most (whether consumer or corporate) the goal, but there needs to be a clear strategy in place for this migration in place.
So, rather than simply saying ‘You need to replace passwords’ here are some practical steps to get you thinking today about how you can begin to address the password problem once and for all.
Take stock of your password landscape
- The first step is to fully understand the scale of the problem. Consider how many different systems are in use that have their own password policy.
- Look at which systems are “stuck” in a password world, and which can support new standards, e.g. OpenID, SAML etc.
Consolidate policies
- If you have various policies it is advisable to update them to a single updated policy that is in line with NIST 2017 guidance. Having fewer variations to deal with will help simplify future changes. What’s more, by settling on an updated policy it will also help with your current compliance requirements.
Identify possible password replacements
- We are no longer in a world of limited technologies. In the 1980’s people waited to see who would win the battle between Betamax and VHS before committing. In today’s competitive world there are huge commercial advantages of being a savvy early adopter.
- You have nothing to lose by running a short-term pilot with a limited group of users within a team or department.
- Remember. you do not need to replace like-for-like and the goal should not necessarily be to find a single alternative. For example, it may be enough for a fingerprint (or face recognition) to provide the user with access to certain services, but for transactions or sharing of confidential information, you may want a multi-factor solution.
Roll it out
- Begin by targeting key user account databases first, e.g. Active Directory as this will deliver the biggest improvement to your security and consequently remove your largest headache.
- Training should be offered, however, the key to a successful password replacement is that it is intuitive and instinctive to use, so this shouldn’t be a major consideration.
There is no silver bullet; there is no one way to solve all problems, so don’t wait for one, get started where you can today.
