Privileged Password Management 101: What exactly is PPM?
Let’s reduce password pain and move passwords into the background
Passwords remain one of the top challenges and causes of cyber fatigue for employees. As we move more of our business and lives online this means the number of credentials needed to protect our identities continues to grow. Unfortunately, a single password is sometimes the only security control preventing cybercriminals from gaining access to our sensitive information. To protect our organizations and our users, we need to help empower employees by enabling and rewarding them with password security that is usable and works in the background.
Many organizations are experiencing digital transformation and cloud migration. That means the traditional cybersecurity perimeter no longer applies. Identity management is the new perimeter and access is the new security. Passwords are critical to the protection of our digital assets.
Is there a difference between a password and a privileged password?
I am often asked to clarify the difference between a password, a passphrase, a privileged password, and a Secret. In brief, these security controls are simply all types of secrets. And anything typically placed before ‘password’, such as ‘privileged’, ‘user’, or ‘application’ is what the password is being used to protect.
So, let’s get back to basics with Privileged Password Management 101
First, what is a password (aka passphrase or Secret)?
A password is also commonly known as a Secret, a passphrase, or if only numeric—a PIN. A memorized secret authenticator is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be sufficiently complex and secret to ensure that an attacker will not be able to guess or otherwise discover the correct secret value. A memorized secret is something you know personally as a user.
Please, use 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
The password is a single-factor of authentication. The type of account or information the password is protecting determines whether you should add additional authentication security controls.
If the account is protecting and securing financial information, administrator access, or very sensitive information, then stronger security controls such as two-factor authentication or multi-factor authentication should be added. These must be used in conjunction with the password to gain access, especially 2FA for email or privileged accounts. It’s important that you recognize not all 2FA and MFA are equal. Some have stronger security controls to make it more difficult for attackers to crack. Always consider what is it you are protecting and apply the security control most appropriate for reducing the risk of compromise.
Password strength and length are important
What is a strong password, and is password length important? The strength of a password stems from how easily an attacker can guess your password using brute-force or cracking techniques.
People think the rarity of a word or phrase will be enough to protect them
It’s typical for people to use passwords they can easily remember by choosing some unusual dictionary word or topic of interest. They think that the rarity of the word or phrase will be enough to protect them. However, cybercriminals use techniques that make guessing these types of passwords easy. So, when creating a password, make it something unique—preferably a combination of multiple words—and it must always be something that only you know, and no one can easily guess. You can further strengthen your Secret by adding random spaces between words.
When considering the length of your password, keep in mind that mathematical algorithms are stronger when your password exceeds eight characters and even better when it is longer than 16 characters. Going to these lengths makes your passwords that much stronger and harder to crack.
Password managers boost security and help avoid cyber fatigue
If you have many accounts and passwords, opting to use password manager software makes securing and managing your accounts far easier and safer. A password manager helps track the age of each password, lets you know what additional security controls have been applied, and helps generate complex passwords for all your accounts so you won’t have to type or remember them. You only need to remember one strong password to access your password manager and it will automatically generate strong passwords for you as you access various accounts.
Remember: when using a password manager, password best practices still apply
This means creating a password manager password that’s super strong. You can use passphrases, which are a combination of words and only a few special characters like ?%&@!). A long, strong passphrase combined with 2FA is tough to compromise and makes life for cybercriminals far more difficult.
While password managers are excellent tools for protecting individual users, organizations must look beyond password managers and consider privileged access security. Privileged Access Management solutions include password manager features but go beyond password manager capabilities to further protect both human and non-human privileged accounts. See the use of PAM solutions at the end of this blog.
Use encryption, and trust no one
Your passwords must be stored, at rest, using encryption, never in cleartext. Unfortunately, many users still rely on password-protected files like a spreadsheet to store and keep track of passwords. This practice must stop immediately! Storing passwords in a spreadsheet is a very risky practice. You should literally trust no one with your passwords. If you need to share access with someone it’s best to provide them with a one-time password that they can use just once. When they are finished they can no longer reuse the password and must request access again if needed.
Storing passwords in a browser is as risky as keeping them in a text file
Many people allow their internet browsers to store passwords. This presents a major risk since web browsers make it easy to remember and autofill password fields by default but do not add any additional security to passwords. Security problems arise when a malicious attacker gains access to your device along with access to the passwords stored in your browser—and easy access to any accounts those passwords are protecting.
Pay attention to password age and disclosure
Depending on the sensitivity of the account and the importance of the data being secured by the password, you should set a regular rotation cycle for changing the password. Do not wait to change passwords after being informed of a breach—by then it is already too late.
The best practice for systems passwords includes rotating the password as frequently as required. This can be done automatically with the proper password management software. For human passwords, the time frame for rotation can be longer, but I recommend between 9 to 12 months, depending on what additional security controls are in place.
Changing a password can serve as an alarm to locating a compromised account, as typically, it should alert you to failed login attempts after the password has been changed. If a system password has been used (aka disclosed), then once the activity is complete, rotate the password. Password disclosure should be kept to as few passwords as possible to reduce any risks.
Use a Privileged Password Management or Privileged Access Management (PAM) Solution
Adopting privileged password management software tools allows you to securely create, share, and automatically change enterprise passwords and manage privileged security. You can assign user permissions at any level, and track password usage with full audit reports. PAM can also be used to improve insights into vulnerability assessments, IT network inventory scanning, virtual environment security, identity governance and administration, and behavior analytics. By paying special attention to privileged account security, you can enhance all your cybersecurity efforts, helping to safeguard your organization in the most efficient and effective way possible.
By implementing a comprehensive plan for PAM security, you can reduce the risks to your organization from cyber threats. Limiting access to privileged accounts makes the cybercriminal’s job far more difficult—and your organization a lot more secure. By forcing attackers into taking more risks, they will create more noise on your networks giving you a better chance at detecting them before disaster strikes, such as a ransomware attack.
The don’ts of password management:
For many years companies have followed password best practices that have not worked as effectively as might be expected. Here are several practices to get rid of when updating your cybersecurity password policies.
Password composition rules are history:
- This password advice is hopelessly outdated and ineffective: “Please use a password different from the last 1000 passwords, it must contain 10 numbers, 4 upper case letters, 5 lower case letters, 3 symbols, etc.”
Password hint fields are gone:
- Password hints never worked in the first place; people just put the password in the hint field.
Knowledge-based access aka security questions, also passe:
- What is your favorite book?
- Your first car
- Your first pet’s name
- Your mother’s maiden name
- And all those things anyone can easily find on Facebook
What about biometrics?
With the release of Apple’s Face ID on the latest version of the iPhone X, visionaries predicted that biometrics will replace passwords. The reality so far is simply NO, this is not so, and not even anytime soon. Apple’s Face ID has already been compromised using a 3D printed mask, so it’s important you’re not too quick to abandon password management best practices.
Biometrics replace usernames meaning they are identifiers for authentication. While biometrics is an identifier, they do include much better security attributes than legacy usernames or email addresses. As Biometrics are not secret’s they should NEVER be the only security control that is protecting your sensitive information or financial accounts.
Biometric security controls, like fingerprint, voice, or facial recognition, should always be complemented by another factor like a pin or passphrase. Biometric information can be compromised, so something that is not linked to biometrics should always be used as an additional authentication method.
These technologies help provide a people-centric and human-friendly approach to cybersecurity, but they still come with risks, and it is always important to mitigate or reduce the risks. The biggest problem with biometrics is that when they are compromised you cannot change them. It’s like a hard-coded password—a bad idea in today’s security world. Biometric security control should be combined with something that can easily be changed to ensure that your sensitive information remains secure.
Finally, what about Passwordless?
We’ve been hearing about passwordless authentication for some time now, and yes, even Microsoft has made it possible for some to remove the password. I believe this is a great approach, however, let’s be realistic about what’s really happening with password-less. It’s really about moving passwords into the background and changing their purpose. It’s about fewer, or “less” password interactions. That is, we enter passwords less often, and the purpose tends to be for enrolling a new device, for after reboot, or for when the risks change.
Therefore, additional security controls become more important. And they should be risk-based. In other words, while moving passwords into the background reduces the need for password interactions, we must continue to secure access. This means implementing a strong Privileged Access Management solution that will help secure authorization to systems after authentication has been verified. We must move to security by default by adopting a zero-trust approach—a mindset on how you want to operate your business securely.