1. What are examples of strong passwords?
We gave some good examples during our presentation, but recommendations include using uncommon words, and requiring upper and lowercase characters, mixed with numbers and special characters, and substituting out characters for letters such as Tr0ub4dour for Troubadour, but we more strongly recommend the use of four unrelated words (correct horse battery staple). Remember, a password policy may seem inconvenient for us, but it will also be inconvenient for the hacker.
2. What are good things to have in password policies?
Some recommendations for password policies include requiring regular users to have passwords of a minimum of 12 characters (upper, lower, numbers, special characters), and administrator accounts to have a minimum of 16 characters (upper, lower, numbers, special characters), no reuse of passwords within 12 months, and the changing passwords every 90 days (current thoughts are to extend the password lifetime if the password has industry-leading strength/length and based on user risk), and of course, 2-factor for all remote access and internal sensitive services. There are more tips in our presentation which you can replay here.
3. With respect to password keepers, is there a difference between cloud-based or behind the firewall insofar as security or other considerations?
There are differences. It comes down to understanding your current systems configuration. If your systems are also cloud-based, then a cloud-based password keeper would most likely be appropriate for you. If all your information and systems are behind a firewall, internal only, then a behind-the-firewall-password tool is likely the right option for you. In vetting your options, understand your business case coupled with what you are trying to achieve, the level of risk involved, and then determine what the right tool for your organization. Additionally, you must determine whether your vendor or internal business operations would provide more platform and environmental security (acknowledging privileged and end-users are still points of failure), while continuing to assess and monitor the risks.
4. Do you think passwords will be replaced by biometrics?
This is a good question, and a difficult one. There are many folks who are personally opposed to biometrics just from the fact that it involves using something more personal versus something you can create or have. Biometrics would be owned by the person rather than traditional passwords that would be owned by the company. With personal data and information sometimes being more protected in Europe, or otherwise having different controls in place for protection, biometrics may change the way you have to protect and approach that information. You would have to protect that (biometric) factor differently than you would a password or an app. We don’t know that passwords will ever totally be replaced by biometrics itself, but passwords could be replaced by other factors or a creative invention yet to be discovered. Another thing in determining whether biometrics would replace passwords would be what happens in the case of a lost password? You can change a normal password, but you can’t change your face unless you spend a lot of money on surgery. As indicated before, it’s not likely biometrics will replace passwords, it’s more likely that it will be another augmentation or third factor, but you never know in a generation or two if it becomes just ease of use to implement a chip in your forearm or some other body part, but we don’t see it soon unless some discovery that is more practical or convenient to users and makes sense to administer comes along.
5. Are passwords the best way to protect the organization?
Passwords are what’s out there. You must look at passwords as one component in protecting the organization. The best way to protect the organization is to look strong and hard about implementing 2-factor authentication. The risk with password in general relate back to where you are entering the password. The most common aspect that we know today is there are several 2-factor tools that are becoming more prevalent and available, and it will be how users implement those that will be key to really protecting your data. If there is a better replacement for passwords, we look forward to it, but you can probably reduce the dependency on them with multifactor. At the end of the day, the password is still one of the most important factors individually, or collective with multifactor authentication.