Few everyday technology interactions get on people's nerves quite as much as the dreaded "Password Expired" notification. It is bad enough having to remember all of your passwords before having to change it up with a new value or a slightly different version of an older one – "Was it Brutus#341, Brutu$452?, or Brutus3#$!?"
As hard as it is to remember the passwords themselves, sometimes the rules are more challenging to recall – "How long of a phrase does it need to be?" "How many special characters and numbers does it need?"
If you have ever seen one of those "Worst Passwords" articles or year-end reports, you know just how unsecure some passwords are in order to make remembering and logins as easy as possible for the user. But did you know that there's an even more vulnerable stage in this perpetually pesky password process?
For all the good that our 18-character password phrases and expiries every 30 days does us, the initial account creation stage is often the most vulnerable moment for any password and associated user account. Organizations with even the most sophisticated security, Identity Governance and Administration, and password policies are susceptible to this often over-looked risk. This vulnerability is caused by both the new account's initial password and the means of delivery for that password and account.
Many organizations use a default password formula when creating new accounts. Whether it is the first two letters of your last name, your birth year, and your last name ("St1986smith") or the street you live on, the school you went to, and your graduation year (PineWSU15), many organizations use what is ultimately an easily deciphered formula. If an employee can recognize the formula, they can guess the password for a new account before that user gets to login for the very first time. If some social engineering or a cursory Google and Facebook search can give you all the relevant details for an easily cracked password formula, can you really call it secure?
Some organizations even use the same default password for every single account generated for a new user. With that practice, it does not even matter if a malicious individual can crack your password formula or dig up some generic info. If everyone has the exact same password for their initial login, everyone in your organization knows what Steve's password is before he even shows up for day one of work or sits at his desk for the first time. The day someone in your crew decides to do you dirty a user decides to login to another account with the proper credentials and act maliciously, there is nothing you can do to prevent it. (Please tell us that you are not one of those organizations using the exact same default password for every new account... Please...)
The security risks involving passwords for newly created accounts reach far wider than simply the content of the password itself. How are the new accounts and passwords being handed off to your employees? Is someone from IT meeting them on their first day to give them the value? Do you send it to their manager to act as an intermediary? Do you email it to their personal (and probably unsecure) email, which might get opened on a public network? Do you write it down on a sticky note and leave it on their keyboard? That last one was a joke – well, we really hope so...
Regardless, any of the above or similar methods opens up a vulnerability in the transfer of what is supposed to be a secret value. Either the value is being given to someone else, making the secret inherently less such, or it is being sent to an unsecure destination that could lead to anyone discovering it.
Lastly, do you know if there are any orphaned accounts floating around your environment that have never once been accessed? If your organization's process involves mass-creating accounts for new users – particularly for seasonal work or within education when anticipating all the new students every Fall – there may be no way for you to check and monitor which accounts were never activated at all. Whether a new hire decided to pick a different job at the last minute or a student's enrollment changes late in the summer, unclaimed accounts can often just sit in an organization's environment without ever having been claimed. The orphaned account not only adds to the digital detritus your IT team is tasked with cleaning up, but also poses a security threat for any malicious individual seeking out those easy entry points floating around.
Tools4ever recommends a couple different process revamps to avoid this Achilles heel of onboarding new users and accounts:
- DO NOT USE THE SAME DEFAULT VALUE FOR EVERY NEW PASSWORD. PLEASE STOP. JUST DO NOT DO IT. PLEASE.
- New passwords should be randomly generated strings of characters that would be outside of any persons' ability to randomly guess or socially engineer the value. Remember that numbers and special characters are great, but every letter of the alphabet has a 1-in-26 chance of being correct for any given character of the whole string and most people's special characters are one of the 10 or so sitting just above QWERTY.
- Use a web portal interface upon first login for the new user to monitor and restrict all parts of your account onboarding process. If the new user never accesses the interface, you already know those accounts that went unclaimed, which makes cleaning up orphans much, much easier.
- Securely place access to the password value behind questions based on non-sensitive employee information to verify the user's identity.
Next time you go creating those accounts, take a moment to think about what formula you are using, how the password value will be transferred to the new user, and how that user is going to access that password and their account for the first time. If you see a vulnerability in your organization's process, it may not matter how complex and frequent your password change rules are for every day afterwards.
Right from any account's creation, such risky business jeopardizes that environment you work so hard to protect. Stop risking yourself with onboarding steps you don't secure.
If you would like to discuss and review your onboarding processes with one of Tools4ever's consultants or account representatives, please contact us to set up a consultative discussion regarding how these vulnerabilities can be addressed within your organization's processes.