This year's Security Awareness Month theme — "See Yourself in Cyber" — was selected by the Cybersecurity and Infrastructure Security Agency to reinforce cybersecurity as a people priority: anchored in partnership, education and individual accountability. This article is part of a series focused on the people considerations of four key pillars of infosec enablement, as noted by CISA's 2022 Awareness campaign: enabling multi-factor authentication, using strong passwords, recognizing and reporting phishing, and updating your software.
Organizational password management goes far beyond setting employee password-creation requirements. It also involves using automated systems whereby privileged accounts may receive higher protections and all accounts are managed by software that can add and remove access as needed.
In the long run, automating employee password management will save time and make your organization more secure.
Basic employee password policies
Employee password-creation requirements are still the basis of organizational password management. While it is still best that employees be required to create passwords that are long, strong and unique, some of the other parameters have changed over the past decade.
Neither Microsoft nor the National Institute of Standards and Technology (NIST) currently recommend "rotating" passwords, i.e. forcing employees to create new passwords periodically.
If you make someone choose a new password every few months, they're going to use a lot of weak passwords instead of a single strong one. New passwords should only be mandated if the old password is phished, forgotten, stolen in a data breach or otherwise compromised.
Both Microsoft and NIST also have dropped the "composition" guidelines that recommended each password be a combination of lower- and upper-case letters, digits and punctuation marks.
Under such rules, many users started with dictionary words and then made obvious substitutions and additions, so that for example, "horsefly" became "h0r53Fly!" Because attackers have precompiled lists of dictionary words and their common variants, the second type of password isn't much more secure than the first kind.
It's better to make longer passwords, even they consist of multiple dictionary words. NIST recommends that organizations allow passwords of up to 64 characters, which would permit the classic "correct horse battery staple" type of passphrase to be easily used.
That's not to say that special characters are out. NIST insists that the entire ASCII character set be accepted as valid password inputs. The government institute recommends that the entire Unicode character set be accepted as well, although the full scope of Unicode characters might be out of the range of some web browsers.
Nor does it mean that passwords will be easier to create. NIST recommends banning single dictionary words, known compromised passwords, repeated characters (like "aaaaaa") and common sequences (such as "abc123"). Passwords also should be at least eight characters long, although much longer passwords are recommended.
NIST and Microsoft both also recommend that multi-factor authentication (MFA) be encouraged or even required. Yet NIST no longer recommends using SMS text messages as a vector for transmitting temporary one-time-use passcodes — they're just too easy to compromise.
Privileged account policies
Not all these recent changes apply to privileged accounts. Those are accounts belonging to system administrators and C-suite executives, as well as to "non-human" accounts found in IT hardware and automated operating-system services. Such accounts have tremendous power over company systems, and their high value as attack targets means that their passwords should still be periodically rotated.
It's often difficult to ascertain how many such privileged accounts exist in an organization. That's why it's essential that an assessment be done to identify them all.
"Privileged accounts, many long forgotten, are sprawled across most IT environments," explains a BeyondTrust white paper. "Different teams may be separately managing — if managing at all — their own set of credentials, making it difficult to track all the passwords, let alone who has access to them and who uses them."
IT staffers should also be able to see what each privileged account does and what it has access to. But staffers should not be sharing passwords for privileged accounts such as "root" in Unix/Linux systems or "admin" in Windows ones. Instead, each staffer should have their own account.
Cloud computing presents another problem. Hundreds of databases have been exposed online in recent years because Amazon Web Services instances have been misconfigured, so make sure your company's cloud accounts are properly set up.
"Even for those organizations that have implemented some degree of automation for their password management," says BeyondTrust, "if not architected with the cloud in mind, there's no guarantee a password-management solution will be able to adequately manage cloud credentials."
Enterprise password managers, privileged access management and identity and access management
That's not to say that enterprise password managers can't be very capable. Unlike consumer-grade password managers intended for a single user, enterprise password managers can do much more than just save passwords in an encrypted vault.
Some of them can implement organizational password-creation policies, onboard new users and deprovision departing employees. They may also be able to log user activity, control access to company systems from employee-owned devices and limit failed login attempts.
But to really give a larger organization comprehensive control over password use, you'll want to consider a privileged-access-management (PAM) solution. Unlike password managers, these will manage password and access by non-human entities in systems and networks and will generally be better at managing privileged accounts.
PAMs can also deploy and manage MFA solutions, discover forgotten privileged accounts, provide audit-ready full logs of user access for regulatory compliance, and rotate passwords if necessary — including all user passwords simultaneously. Changes will emanate from a centralized hub out to users instead of being implemented piecemeal by users.
The downside is that PAMs can be more expensive to license, deploy and maintain than enterprise password managers. They are a subset of identity and access management (IAM) systems, which control employee access to systems across an entire organization.
"IAM strategies dictate how to manage general access to resources such as devices, applications, network files, and environments," explains a blog post by StrongDM. "Privileged access management (PAM) is a subset of IAM focused on privileged users — those with the authority to make changes to a network, device, or application."
Which type of solution to choose depends on the size and budget of your organization. Small and medium-sized organizations might be satisfied with an enterprise password manager that allows for some centralized management of user access. But larger firms will want to consider a PAM solution for its privileged users as well as an IAM one for all the rest.