3
February 2015

Passwords aren’t the problem – people are

Andy Harris

Not a day goes by without another blog on how bad passwords are. Everytime we look at these blogs we see that consistently the issue is people and policies, not the passwords. If you make someone change a range of passwords often enough they’ll drop into a pattern; which will make the chosen passwords inherently weak.

As a means of securing access to a system or application a strong password is cheap and effective. Its only when the passwords meet people that the security breaks down. Even if you have complex passwords, there is a problem with RAM Scraping. In fact as the message about using secure passwords for external servers gets through we’re seeing less and less brute force attacks on servers. The 2014 Verizon Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2014/ shows that ‘use of stolen credentials’ is now at the top of the actioned threats list (422 of the researched attacks). In fact brute forcing is at number twelve on the list (108 attacks).

How are these passwords stolen? Once again, its mostly down to people, recording passwords in text files and spreadsheets. People are surprisingly gullible to Phishing (No 3, 245 attacks) and other social engineering techniques.

The essential take away is this: If passwords have to pass through users workstations they are vulnerable!

The other lesson is that good passwords are resilient to brute force, but this strength is lost as soon as people record them.

So what if we can take the people out of the password problem? What if people didn’t have to remember or write down passwords? What if those passwords never entered users workstations?

Imagine a world where all your systems and applications are protected by 128* random character passwords that were automatically refreshed every week. (*, if the device of application supports less that 128 characters, Osirium will adjust accordingly.)

All the people need do is verify their identity, then they get access to systems at the roles and times they’ve been granted.

Well, at Osirium that’s what we make happen. We separate the people from the passwords, then we apply Enterprise Strength Password Life Cycle Management to those credentials.

If you’d like to benefit from the security and compliance of super strong passwords without the hassle of mixing them with people, please get in touch.