Password Management, Best Practices for 2018

In an ever-evolving IT environment with increasing threats and complexities, it's more important than ever to protect your data. Data breach has become an all too common news headline and can have detrimental effects on your business. Aside from the obvious implication of theft of information, an organization’s reputation can often be the biggest hit, and the hardest to recover from.

Take the most recent breach scandal regarding credit reporting agency Equifax. Hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers. Gaining back the trust of the public after this breach will be no small feat. Perhaps the hardest pill to swallow is that the entire situation could have been avoided. To ensure it will not be you left cleaning up a massive PR mess, take pro-active steps to protect your data, namely the 6 steps I will explain today.

Where’s the first place to start? Passwords. The best encryption and data protection software in the world are as good as useless without a sound and secure password policy in place. Password compromise is still the leading cause behind most data breaches. In 2014 two out of three breaches involved attackers using stolen or misused credentials (Higgins 2014). In this blog, we are going to outline six tips for implementing and maintaining an efficient and effective password policy.

1. K.I.S.S. Model

Keep It Simple, Stupid. Make sense? A good password is only as good as the person using it. If passwords have to be changed too often, or have too many complexity rules, people are going to revert to the easiest way of remembering it, which is writing it down – more often than not on a sticky note attached to the machine it denotes access to. This is a worst-case scenario and will essentially undermine any protections but in place. Solution? Make it manageable for employees to access data with some realistic password complexities and expirations in place. You can read more about password policy best practises in the blog post Risky Business: Overcoming Onboarding Exposure (Explicitly, Perilous Passwords).

2. Synchronization

Question: What’s harder than remembering an 8-12-character password with two special characters, two higher case letters, two lower case letters and a number?

Answer: Remembering 18 of them.

Our research has shown that employees at executive level and above have an average of 18 accounts that require usernames and passwords. Without a universal set of credentials this can be very unmanageable and will resort to the pre-discussed ‘write it down’ method of tracking passwords.

Password Synchronization is an effective and cost-efficient way of creating a universal password for each user, that fits your organization’s policy. With a Password Synchronization Manager (PSM), when a user resets their Active Directory password, it ensures that connected applications receive the new password.

3. Self-Service

The traditional work environment has expanded in time, from a stationary desk in an office Monday to Friday, to a now semi-mobile workforce, who often work evenings and weekends. This means data may need to be accessed from anywhere at any time. Now, when a user forgets a password, IT may not always be available to reset it. Massive amounts of skilled IT resources are spent on menial and repetitive takas such as resetting passwords. It often leaves a user waiting a long time to regain access, making them unproductive all the while.

With a self-service password reset solution, users can securely reset their passwords at any time. Depending on the product, this can be done by answering challenge questions or completing additional factors of authentication. Allowing users to autonomously reset their own passwords results in a significant reduction in the number of password reset calls since users can reset their own password, freeing up helpdesks to focus on more important IT projects and allowing users to be 100% productive.

4. Authentication

With the ever-growing sophistication of hackers, sometimes a password is just not enough. Depending on how sensitive the information you’re trying to protect is, you may need an additional layer of security, namely two-factor or multi-factor authentication.  Two-Factor Authentication provides a second layer of security via SMS or e-mail PIN code, as an example. An even higher level of authentication (multi-factor) can be achieved with the following:

  • Something that somebody knows: User name, Password, Pin code
  • Something that somebody owns: Cell phone, Token
  • Something that somebody is: biometrics such as fingerprints or facial recognition

Combining two or more of these methods during the authentication process will give that extra piece of mind in the protection of your data. Also depending on your industry, it may be necessary for meeting certain compliance regulations such as HIPAA, SOX, FERPA etc.

5. Helpdesk ID Verification

Even if you employ tools to minimize the number of calls to your support desk (such as Self-Service Reset Password Management), invariably, there will be some cases where calls do come in. When they do, it’s up to your staff to make sure they know who they’re talking to before providing any password reset options. In these cases, having Helpdesk ID Verification  allows helpdesk staff to verify the identity of a caller by asking them a challenge question. Through an intelligent mechanism, combined with reversible encryption, the helpdesk employee can ask the end user to provide certain characters, for example, first and last letter of the answer. By keying in the response, the helpdesk staff can verify that the caller is who they claim to be and can move forward with the password reset process or other requests.

6. Enrollment

Finally, and perhaps most importantly, what good are these tools if your users don’t utilize them? To maximize the benefits of password management software, ensure there is some sort of auto-enrollment or on-boarding feature in place. With auto-enrollment, data is collected from an HR or SIS application and used to prepopulate answers in the password reset product's database, thus eliminating the need for employees to complete the en­rollment process. On-boarding is similar however it utilizes a mechanism that gives a unique ID & One Time Password (OTP) to the end user based on personal info in the HR or SIS. It ensures the ability for a user to reset their password is set up before network access is granted. Some products can even put in place a wizard pop up for end users to fill in challenge ques­tions and answers. You can ensure that it cannot be closed unless this info is completed; ensur­ing enrollment in the product.

We use the New Year as an excuse to shed that winter weight, spend less and save more, become an all-around better person, etc. Why not apply this to your organization? Let’s use the Q4 to create a 2018 password strategy and policy and start the new year with peace of mind. I hope this guide will help to evaluate your current password position and spot opportunities of how to strengthen it.


Battle of the email solutions: Exchange vs. Google Apps

In the industry I am in, with the job functions I perform daily, I see more and more organizations moving from an in-house email solution such as Exchange to cloud-based email solutions like Office 365 and Google Apps. This is due to many reasons and an easy way to see why is to compare Exchange and Google Apps.

Read more


Password Reset, Password synchronisation

automated account management, cloud based email solutions, Compage Exchange and Google Apps, compare cloud based email solution, compare email solutions, Exchange, Google Apps

How to manage credentials the easy way

A seemingly simple, yet tedious task for anyone in the information technology field is credential management. End users are given usernames and passwords for various systems in an organizations environment, and the hope is that the end users can manage these credentials with very little issue or assistance.

Read more

Identity and Access Management vs. Identity and Access Governance

Identity and access management and identity and access governance are two terms which are often used in the tech world, which can be quite confusing. What do they mean? Are they the same thing? What do they encompass, and what can they do for my organization?

Read more


Password Reset, Password synchronisation

account management, IAG, IAM, What is Identity and Access Governance?, What is Identity and Access Management?, access governance, RBAC, SSO

Account Management in Education: How Can It Be Improved?

Many school districts and even some higher-learning institutions have their technological infrastructure run by a skeleton crew due to things such as politics and budgetary constraints. Situations such as this can often lead to many issues within the organization: Lack of network resources for end users Inability to properly support end users and systems No time to research and implement newer technology This causes frustrated overworked admins to think outside the box and turn to other solutions, such as software-based, automated or semi-automated identity management.

Read more

Group Policy Object; What is it and how can it allow for seamless deployment of software

In any organization from a small business to a large enterprise, control over user’s access to various resources on the network is a key component of managing the corporate environment. Access to resources such as network shares and printers to things such as settings on local stations, are just some of the items an administrator wants to manage centrally and cohesively. A common method to manage domain resources like this is via Group Policy in Active Directory.

Read more