Passwords and their protection are among the most fundamental, essential aspects of enterprise data security. They also make up the bane of most users’ relationships with their enterprise devices, resources and assets. It seems no matter how stringent or lax your password policy is, the directive will be met with dissension from a significant portion of your staff. It’s frustrating for everyone — the IT department, C-suite and employees.

Recently, the National Institute of Standards and Technology (NIST) reversed its stance on organizational password management requirements. The institute now recommends banishing forced periodic password changes and getting rid of complexity requirements.

The reasoning behind these changes is that users tend to recycle difficult-to-remember passwords on multiple domains and resources. If one network is compromised, that’s a potential risk for other domains.

Are password managers the answer? Sure, they help generate great, complex passwords and act as a vault for all of our credentials. But they still require a master password — a risk similar to using one set of credentials across platforms. So where do we go from here? Are password managers safe from compromise, or are we doomed to a future of continued password problems?

Read Forrester’s Now Tech Report on Authentication Management

Passwords: Can’t Live With ‘Em…

It’s clear that a winning formula for password management and policy isn’t one-size-fits-all. Based on my years of experience drafting and enforcing corporate password policies, most tactics fail to catch on.

Two of the best-known experts in the field — Kevin Mitnick, chief hacking officer for KnowBe4, and security pundit Frank Abagnale, made famous in the film “Catch Me If You Can” — have slightly differing opinions. But at the end of the day, their views generally echo each other.

Abagnale once told CRN that passwords themselves are “the root of all evil.” More recently, he told SecurityIntelligence that passwords “are for treehouses.”

“Many of the security issues we see today stem from passwords,” Abagnale said. “This is a 1964 technology, developed when I was 16 and still being used in 2018 — and I’m 70 years old.”

…Can’t Live Without ‘Em

Mitnick and Abagnale foresee a world in which passwords are no longer part of the security equation. But until that happens, we need to work with them. Mitnick recommended implementing simple, but long passphrases of 25 characters or more, such as “I love it when my cat purrs me to sleep.” But this is only the first step.

“The 25-character password is for the initial login to the user workstation; then you should have another 25-character password for the password,” he said. “The user only has to remember two pass-sentences, and the manager will take those credentials.”

The next step for those responsible for creating and enforcing security policy is to decide how often users must change their passwords. Mitnick recommended at least every quarter, but that depends on the type of company and its risk tolerance. Government and financial institutions, for instance, may want to enforce changes every 60 days.

How to Master the Fine Art of Multifactor Authentication

Both experts advise businesses to incorporate multifactor authentication (MFA) in their login policies. MFA requires users to present at least two credentials to authenticate: something they know (like a password), something they have (like a token) and possibly something they are (like a fingerprint or facial scan).

“I believe that this is the best of both worlds, where the CISO sleeps better at night knowing there is nothing static in the login process, and users are elated to login without passwords,” Abagnale said.

“MFA should be used wherever possible for any type of external access like VPN, Outlook Web Access or Citrix,” Mitnick added. He also warned that if you’re going to use two-factor authentication (2FA), you should implement the First IDentity Online (FIDO) Alliance’s Universal Second Factor (U2F) protocol because it can prevent a type of attack in which a user’s session key can be stolen with a phishing email.

Are Password Managers Safe?

The use of password managers is where the experts disagree. While Abagnale is doubtful about their effectiveness, Mitnick believes password managers are necessary and helpful.

“It is still so important to choose a pass-sentence [for the password manager], and to the best of your ability don’t get malware on your machine,” Mitnick said. “If you get malware on your machine with keylogger ability, it won’t matter if you have a password manager or not.”

For Abagnale, password managers are a great way to mask the issue: addressing the password problem by storing passwords.

“Some of the passwords vaults have been breached already, which emphasizes my former point about why passwords are bad for our security,” he said. “I think that we should move beyond static passwords, and not succumb to password vaults as our solution. It makes me nervous to store all my passwords in one place, and protect that with…a password.”

Never Could Say Goodbye

Finally, both Mitnick and Abagnale are bullish on companies like Trusona, a forward-thinking security business that hopes to crack the code on a password-less internet by focusing on the user experience. Trusona offers a range of MFA processes that don’t require a password. Abagnale is an adviser for the firm.

“Passwords will be here for a while,” said Mitnick. “The challenge companies like Trusona have is early adoption. It’s all about the market. Even though you have a technology out there, it doesn’t matter if nobody’s adopting it.”

According to Abagnale, that day may come in three to five years.

“The technology is already here, and now needs to be implemented,” he said. “There is reason to think that passwords may remain in legacy systems for years to come, as the cost of ripping them out is too high. Nonetheless, password-less logins are the way of the future, and companies would adopt this method once they realize the benefits.”

But passwords aren’t going away anytime soon. We are seeing progress, however, toward a day when authentication is much more secure. Until then, we are stuck with them, and the enterprise must do all it can not only to move the revolution forward, but to ensure that security awareness lives in simpatico with password policy.

Read Forrester’s Now Tech Report on Authentication Management

More from Data Protection

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…