Speaking at The European Information Security Summit in London, Helen L, technical director for sociotechnical security at the National Cyber Security Centre, discussed strategies for effective password management within the enterprise.
Helen L challenged common, traditional password management strategies, saying that “what looks good in theory and on paper, may not work in the real world.”
If a person who typically has around 50 different passwords across their work and home life conscientiously followed standard security advice, they would be expected to remember the equivalent of the order of nine shuffled decks of cards, she said.
“I don’t think the average person using passwords would be able to do that,” she added, and traditional password security policies often lead to people using workarounds (such as reusing passwords, writing passwords down, sharing passwords, etc) that result in weaker security than to begin with.
Therefore, different approaches to password management are needed, Helen L said, highlighting six pieces of advice that the NCSC is promoting.
Tip one: Reduce your organization’s reliance on passwords
- Passwords have been the default authentication method for too long and often used when another method is more suitable
Tip two: Implement technical solutions
- Your system’s security should always rely on effective technical defenses rather than user behavior and so solutions should be used to remove the burden from users
Tip three: Protect all passwords
- While all passwords should be protected, the accounts they protect are not all the same, so time and effort should be spent on accounts that contain extra privileged information
Tip four: Help users cope with password overload
- Many of the issues around passwords are a consequence of burdens placed on users
Tip five: Help users generate better passwords
- Too much emphasis has been placed on password generation as a defense mechanism, so provide users with support in password creation
Tip six: Key messages for training
- Repeating the usual messages over and over again is not effective – instead, focus on the areas where users’ decisions have the most impact and make training useful and relevant
To conclude, Helen L said: “When you’re thinking about security in your organization, try to think of it from the perspective of the user.”