Johannesburg, 22 Jun 2009
Good corporate governance requires companies to force users to change their access passwords as regularly as once per month for those with access to sensitive systems, or at least once per quarter for the rest. This rarely happens, because administrators are unwilling to force the issue and don't understand the implications of poor password management.
“Poor password management opens the door to industrial espionage, hackers, bandwidth thieves and fraud,” says Amir Lubashevsky, executive director of Magix Integration. “Not to mention the very expensive helpdesk costs associated with reissuing passwords on a regular basis once users have forgotten them - a regular Monday morning occurrence.”
Companies all over the world find it extremely difficult to enforce password discipline, leaving a gaping vulnerability in their security nets.
Solutions to this issue have been designed, such as two-factor authentication with tokens or smart cards, but with limited success. The problem is that people still need their password to log in and are liable to select a word or alphanumeric combination that is easy to remember instead of difficult to guess. This is a weakness in the process.
“The matter is complicated even further when one looks at administrative staff and others with access to sensitive data and systems,” Lubashevsky adds. “It is common practice worldwide to assign one person one password to access a multitude of sensitive or high-value systems, putting many systems at risk at once.”
The optimal risk mitigation strategy would be to assign a different password for each of these systems, but asking staff to remember multiple passwords is a mistake. These access keys will end up written on post-it notes, or in diaries which are easily available to anyone, especially those with malicious intent.
“There is no perfect solution to poor password management unless technology is involved,” Lubashevsky suggests. “Starting out by implementing two-factor authentication with tokens immediately adds a level of security to access control, as will bringing biometrics into the process.
“The optimal solution would be to have a server acting as a central password management console assigning rights to different systems by assigning random passwords as required. This is not as complex as it sounds as there are solutions in the market that accomplish this.”
Randomised password assignment will see a password propagated from the central console to a target system for a specific user according to the task that needs to be performed. The password is unknown to others and useless once used the first time, making this method of password management more secure and completely auditable.
Poor password management can damage companies in multiple ways, from fraud to negative public opinion and even into bankruptcy. Optimal password management reduces and even eliminates many of these vulnerabilities without requiring large investments in time or money. Leaving safe keys unattended would be considered foolish; it is as inconceivable to leave the keys to IT systems and data open for abuse.
Share