Managing Passwords Without Compromising Security

Picture the scene: The 5,000 strong workforce of a multinational company are returning to work after a long and very enjoyable Christmas break and they're thinking about easing themselves back into the routine of work once more.

They sit down and power up their computers, and whilst their machines are themselves waking up from the Christmas break, they wander off to the kitchen to make a coffee and catch up with their workmates. Ten minutes later, back at their desks inviting them to log-on to the network.

This is where it all begins to go horribly wrong; December 23 now seems like an awfully long time ago and they cannot for the life of them remember their password:

They try to log-on in any case and after three failed attempts, they're locked out of the system and immediately become non-productive. So what happens next? You've guessed it; the helpdesk is inundated with hundreds of calls requesting password resets.

The scene I've just described is an extreme one but it is a realistic representation of what goes on in the business world every day of the week. There is plenty of well-publicised evidence that highlights the cost of forgotten passwords to a company - anywhere from £5 to £38 per password reset. There is also the matter of the helpdesk conducting non-value added, transactional activities (password resets typically account for 30-40% of all helpdesk tasks) instead of value added, transformational activity like sharing knowledge and expertise.

Most business people, and definitely those with a security remit, understand the need to protect access to corporate systems with some kind of authentication process but how do we address the ubiquitous problem of forgotten passwords? I once visited a very well known multi-national company who, prior to the Christmas holidays, instructed staff to write down their passwords on a bit of paper and to 'keep it in a safe place' because they knew the helpdesk would not be able to cope with the inevitable volume of calls in the new year. Furthermore, the instruction was circulated by memo, which were posted in public areas of the building. I'm sure you can appreciate the logic of this approach but the potential impact on the security of the company, its reputation and the well being of its customers, is clear to see.

Authentication can take a variety of different forms:

1. What you know e.g. a password
2. What you have e.g. a token (software and/or hardware)
3. What you are e.g. some physical attribute like a fingerprint, 
    voice print or retina scan

Depending on the level of security required, a combination of these methods can be used and at first glance, the easiest way would be to implement a system, which doesn't rely on a person having to remember a particular piece of information. After all, you cannot lose or 'forget' your fingerprint.

Assuming that the functional requirements are met and the potential spend can be justified, it is the security policy of the organisation which will decide the choice of solution. Reliance on 'password-only' authentication is now acknowledged as being risky but passwords are still likely to feature in authentication solutions and so the ever-present problem of forgotten passwords still needs to be addressed.

To make password authentication more robust businesses need to enforce standards to which users have to adhere. Such measures include:

  • Mixed alpha-numeric characters
  • Upper and lower case characters
  • Minimum number of characters

But by doing this, we make it hard for users to remember the very thing they need to access the systems to do their job. We've already recognised that some kind of proof of who the user is, is required, but what can we do to ease access whilst maintaining security?

A lot of companies are tackling this challenge with a two-phased approach. The first phase overcomes the problem of having to remember lots of passwords. The second phase allows them to 'self-service' in the event that they do forget their password.

The first phase involves an approach called password synchronisation and this allows a user to have the same password and ID on all of the systems they need access to. This is a useful step forward because now, the user has just one set of credentials to memorise, which is far less of a challenge than having to remember six or seven sets of information. But with our built-in frailties, so what happens when we forget this one password?

This is where phase two comes in. As part of the enrolment process a two-phased approach, the user provides answers to pre-defined questions that only they would know the response to. For example:

  • What's your favourite film? 
  • Where did you go on honeymoon?
  • What was the name of your first school?

In the event that our user forgets their password, they can access this self-service facility through a web-browser, where they can log-on without a password and provide the correct responses to a random selection of challenges. Assuming they answer the questions correctly, they will be directed to a web page where they will normally be forced to reset their password. Correctly implemented, this method is perfectly secure. Because the user is connected directly to the server providing the challenge/response functionality through a secure and encrypted tunnel, there is no opportunity for them to 'break-out' and wreak havoc on the corporate systems. If the user fails the challenge and response process, they are locked out of the system, alerts are provided and the user will have to contact the helpdesk, normally by phone, to request a password reset. Even so, we would hope to reduce the number of people employing this method significantly by introducing a password management system.


In order for users to continue to function effectively, they will require access to more diverse and disparate applications and platforms. Access to these resources will need some kind of authentication mechanism, and for the moment, passwords are a popular choice. Whilst passwords are still prevalent in the workplace, a self-service password management system makes good sense from several perspectives:

1. Financially, such systems can pay for themselves within a year  
    (quicker if you outsource your helpdesk).
2. Security is strengthened because it's easy to enforce standards
    and policies.
3. Processes are improved; this gives the end-user a better
    experience increases their productivity as well.

David Kavanagh is Security Solutions Manager, EMEA at BMC Software

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.