26
September 2015

Want to Follow GCHQ’s Best Practise Password Advice? Look No Further

Andy Harris

If the documents leaked by NSA whitsleblower Edward Snowden are anything to go by, GCHQ knows a thing or two about exploiting security weaknesses to hack target organisations. So the spy agency’s latest advice for UK firms on password security should be worth listening to. In fact, a lot of it is common sense. It’s all about recognising current systems need simplifying, with the addition of third party tools to help manage, monitor and bolster security.

Osirium’s Privileged User Management platform could help IT managers tick several boxes from the GCHQ document, locking down password-related risk in one area of the enterprise most at risk today.

GCHQ tips

The GCHQ report, Password Guidance: Simplifying Your Approach, chimes with a lot of what we’ve been talking about for some time. It claims typical users could have upwards of 20 passwords to manage, which makes the whole task of having to memorise complex, hard-to-crack credentials virtually impossible without third party help. This approach doesn’t work because users end up writing down their passwords or storing them insecurely, or otherwise forgetting them and getting locked out – impairing productivity and incurring helpdesk costs.

GCHQ recommends the use of a ‘sanctioned mechanism’ to help users manage passwords, in order to surmount these challenges.

Some other best practice advice for IT managers includes:

  • Change all default passwords immediately
  • Don’t store any as plain text
  • Never reuse passwords between work and home
  • Be aware of the limitations of password strength meters
  • Prioritise IT admin and remote user accounts
  • Reduce the number of privileged accounts to the bare minimum
  • Make sure admins have different admin and non-admin accounts with separate passwords

Focusing on privileged accounts

It’s good to see GCHQ recognising the importance of securing admin passwords. Osirium has been warning for years that they represent one of the biggest risks to your organisation – increasingly targeted by APT hackers as a direct route to your company’s most sensitive data stores.

Osirium’s Privileged User Management offering operates password management for admin accounts in line with GCHQ guidance. We generate long, complex credentials impossible to crack in a refresh cycle. They are securely stored on the Osirium side. This means they never pass through the user’s system and so can’t be compromised by hackers or misused by admin staff. All the complexity is hidden from user – they simply log-in using their existing username and password, or for extra security via two-factor or token-based authentication. It’s all about simplifying password management whilst talking security to a whole new level.

At last, organisations can operate best practice password management. Here are a few more key features:

Accountability: we provide an end-to-end audit trail to see who accessed what, when, where and how

Granularity: device access can be granted at a role-based level because each account is personalised to an individual user

Simplicity: Osirium provides automatic Single Sign-On and full audit capability for native management tools that are already in use by the SysAdmin team

Least privileged model: you can now apply this best practice posture to all privileged roles