So what are you doing about passwords?

You realize the password problem is getting out of hand. We are requiring (or asking/begging) people to

  1. use separate passwords for everything and
  2. to make the passwords longer, and
  3. to use symbols, numbers, upper case, etc. and
  4. to change their password more often.

There are articles like How to Create a Good Password that You Will Never Forget or the following video by Google:

The ideas on these two sites are fine when you think of doing a single password. But what about the dozens/hundreds we all have between work/school/home?  Because we are making it harder, many will choose to take the simplest route possible when they have to change. They will write them down or keep using the same one over and over between different sites.

I don’t think this is getting better and I don’t think IT is helping. We have no answer.

Is your organization doing anything interesting to help with this problem? Are you using any of the password vault tools available? Any other methods? I’d like to hear your thoughts on what we should do and how to effectively solve it at an organizational level.

Related, I was accessing a company site recently and the site brought up an ugly security warning telling me I needed to accept something. IT should never allow that to happen because it trains those who encounter it to just say yes or accept or install without a clue about what it means. Just like we all seem to agree to license terms on new software installs without even pausing to read the agreement.

11 thoughts on “So what are you doing about passwords?”

  1. Hi Mark,

    I think in this age of Federated Identity, a user shouldn’t have to key in their credentials more than once to login into enterprise apps during the course of the workday. A user should only have to login into their workstations and thereafter be automatically logged into any other apps he/she may need to access during the course of the day. The Kerboros Tickets from the workstation logon should be converted to SAML Tokens using SPNEGO for web apps, and OpenID for cloud based apps. Any application that doesn’t support Federated Identity based login should be weeded out during the discovery phase. Even raw API access should be handled using SAML Tokens instead of username/password.

    Saqib

  2. As much as I agree with Saqib on federated identity (we’re big fans of SAML at Identigral), relying on that as the ultimate solution would only cover a tiny portion of IT application portfolio. Stopping barbarians at the gate (so to say) by requiring compliance with SAML isn’t going to magically remove passwords from all these applications that are already alive and well in IT. We’ve dealt with this problem many times, both at the enterprise level as well as at the personal level. For personal use, password vaults work well. Popular password vault applications exist on many devices (incl. mobile), and form factors (USB, don’t store anything in registry, etc). With keyboard shortcuts and various other enhancements that speed up the time it takes to login, a password vault is a Good Thing ™. We like Password Safe and KeePass (both free) but there’s a mulitude of others. Some password vault applications have grown up to the point where they offer enterprise editions.

    At the enterprise level, there are a variety of single sign-on (SSO) solutions. Some of them handle web apps with or without SAML, some only deal with mainframe or client/server, some take care of UNIX access and so on. All of these tools have a problem: the target application must change to integrate with the SSO solution. To get rid of username/password becomes a very expensive (if at all possible) proposition. However, there’s onle class of SSO products that does not require the application to change at all, the so-called Enteprise Single Sign-On (ESSO). ESSO is a client-side technology that has a footprint on the user’s desktop. It captures your username/password for any application and then fills it in for you when the application prompts you for it. You can still have administrative policies and overrides as well as many other bells and whistles so it’s far from being something that cannot be controlled once released into the wild. Managing the deployment to the desktop has long been addressed by Microsoft and countless 3rd parties.

    Since ESSO is a very old (and therefore mature) technology that predates the rise of the web applications, it has gotten a bad rep in corporate IT. Deploying things to the desktop for that many users? Why, we’re all up in the cloud, we shouldn’t need a desktop. Rrrright. Yet ESSO it is the only tech that can solve the password problem at the enterprise level in a cost-effective fashion.

    1. Deborah,

      I wouldn’t say ESSO solutions are cost-effective. In fact they cost a lot to license, support, administer, and maintain for both the IT and the end-user. In any case I think ESSO solutions are a stop-gap measure, and should not be used as long term strategy. They do not address the proliferation of passwords, they just make it easier for the user to login. I think enterprises need to address the more fundamental problem of multiple credential stores across various applications by ensuring that the application they are purchasing / implementing has support for OpenID, SAML, or Kerberos.

      Saqib

      1. ESSO is very cost effective compared to just about any alternative since the greatest cost in implementation of SSO is the impact of a change on the target application. We have customers that have cost-justified ESSO on a basis of avoiding SSO-related changes to a single large application in a portfolio of 100+ apps. Furthermore it’s a technology that many people feel comfortable with as it’s essentially an enterprise-managed password vault.

        Mentally benchmarking our large customers and their efforts to curtail the spread of passwords, the best-in-class IT organizations do this in a multi-pronged fashion. They deploy SSO/ESSO solutions to relieve users from having to enter or remember more than one password. They synchronize passwords. As part of their procurement process they ask vendors to support standards. They consolidate identity stores (expensive and lots of sweat on this one). Given all of that, are they successful? I would say moderately so. Regardless of how creative you can get with a technical solution, the flood of passwords doesn’t stop and (I think) this is where Mark is coming from.

        …so why not use a free password vault and call it a day. People do it anyway. I think they call that “consumerization of IT” 😉

  3. IT has been conditioned to think that passwords are effective solution to authentication problem. But they are not, and in fact a risk for organization. Passwords no matter how strong or how frequently they are changed are as secure as knowing
    “Your favorite sports team”. The solution like ESSO, SAML cannot help with this issue and can only provide false sense of security. I think the solution is to assume that passwords will be compromised and implement risk based, multi-level identity proofing tied to data classification.

    1. While I agree that Risk based authentication w/ multi-level proofing would be better, it is not very practical or usable in an enterprise. There are certain systems where Risk based authentication w/ multi-level proofing tied to data classification makes sense, but not for everything.

      1. Yes, the risk based authentication is based on risk scale like what Google is doing today with 2-step verification process.

        The solution to the password problem should be simple so users can adopt, non-intrusive so systems can leverage and at the same time provide right-level of security.

  4. Like I said, IT doesn’t have a good answer. Thanks for stopping by Hardik, Deborah and Saqib.

    I do agree that SSO solutions for the enterprise are a good step because they can greatly reduce the number of logins that an employee needs to remember. But it just seems that individually we are all overloaded with personal passwords for countless important services that are not integrated together in any fashion. I think that all of the above is right and yet we still have the problem that everyone is facing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s