It is well known that longer passwords are more secure than short ones, however, when it comes to IT security users will usually do the bare minimum. If a password policy only requires an 8 character password, most users will only use 8 characters and no more. This behaviour is partly down to laziness, but it is also pragmatic since they will probably be forced to change it again soon anyway.
Go Stronger for Longer
What if you could encourage somebody to create a longer password by rewarding them with the ability to keep it for longer? Changing a password every 42 days (for example) no matter what is a huge burden to people and businesses, and it doesn’t add much real-world security value either. NIST currently recommends against passwords expiring at all, although many organisations are slightly uncomfortable in doing so. In reality, passwords do not have a set shelf life, like milk or salad.
Dynamic Password Expiry: Authlogics Password Security Management (PSM) bridges the gap between a fixed expiry date and the NIST guidance to never expire by allowing for a sliding scale. Simply put, the longer a password is the longer it can be kept for. If it is long enough you may be able to have it never expire.
The administrator can configure multiple “zones” based on length of time and number of minimum characters as needed. When a user changes their password a simple meter is displayed to show the user how long they can keep their password for as they type.
Passwords v Passphrases
Passphrases are essentially just very long passwords but without all the complexity requirements. Passphrases have significantly higher entropy than a password simply down to their length and are thus much harder to brute force / reverse a hash. Passphrases are also much easier for users to remember as they may only need to recall 4 or 5 random words and not have to remember if they put a “1” or an “!” at the end.
If they are mathematically more secure and easier to use, why aren’t they used more? The reason is basically because “complex” password policies make passphrases almost impossible to use. If a policy forces you to put in upper case, lower case, special characters, and numbers, all while limiting the length and blocking any spaces it is possible to create a “complex” password that you will never remember however you would not be able to use a passphrase like “correct horse battery stable”.
Authlogics allow you to use both traditional passwords as well as passphrases by applying a different set of rules for each. If a password entered is longer than a specified length then it can be treated as a passphrase.
Reporting for duty every day
IT security pros are familiar with penetration tests which include password policy assessments; some even include password breach testing of individual accounts; with mixed results. While a point-in-time test can add some value, it does not solve the moving target problem of password security.
Imagine having a fresh password audit of every single user account, based on live breach data, sitting in your inbox every day. Then imagine if the report also told you what action has been taken on the accounts using a breached or shared password.
Authlogics PSM does just that – an automatic daily password audit with fixes. A scheduled scan will identify all accounts with a breached or shared password. It can then notify the user or their manager as well as provide the administrators with a full list of affected users. The remediation engine can automatically address the problem by either disabling the account or forcing the user to change their password at the next logon. This continuous cycle, plus the real-time checking when a password is changed, ensures that only non-compromised and unique passwords are being used.
Don’t let sleeping accounts lie
Every network has user accounts that have not been used in a very long time, like a dormant volcano, the risk they pose is often overlooked until they explode. Dormant accounts may have access to confidential data, may have elevated privileges, and certainly have an unmaintained password. In fact, the recent Colonial Pipeline breach in the USA was achieved via an old unused account.
Authlogics PSM can monitor for dormant Active Directory and MFA accounts for you. Daily alerts can let you know which accounts have not been used within a specified number of days, and the account can also be automatically disabled to eliminate the risk.
Servicing your service accounts
Service accounts are the same as normal user accounts except that they are used by an application instead of a person. IT administrators are always wary of password policy changes effecting service accounts as nobody wants to break an application. Service accounts are prime targets for bad actors as they are easy to spot by name, they rarely have their password changed and they normally have privileged access to data and systems.
Authlogics PSM caters for service accounts in various ways including being entirely excluded from alerts & remediation via a group. It is still recommended that they are included for real-time scanning to ensure that a breached password isn’t used when it is changed.
Want to level up your password security? Talk to Authlogics about how PSM’s latest dynamic features will benefit your enterprise.
For existing PSM customers, please download your update here.