?
RAJESH
GANESAN, VICE
PRESIDENT AT
MANAGEENGINE
E
liminating all
passwords is
the best option
for businesses
but that is still a
utopian dream
given the vast
mix of systems that businesses use,
both modern and legacy, still requiring
password-based authentication. Here are
some best practices tips for businesses
working towards high maturity of their
authentication security.
• Eliminate or disable password-
based authentication wherever
possible. Password-less
authentication is gaining prominence
and modern systems typically
support some form of authentication
that does not require passwords.
Businesses must keep this as a
mandatory criterion while choosing
new systems.
• Mandate the use of multi-factor
authentication (MFA), regardless
of the use of password-based
www.intelligentciso.com
|
Issue 22
authentication. The ease of use and
reliability of adding more factors for
authentication leaves businesses
with no excuse anymore, especially
with smartphone apps proving to be
a great option.
• Enforce long and complex
passwords and disallow weak
passwords wherever possible.
Password brute forcing is still
the most common attack vector
and enforcing this rule ensures
dramatically higher levels of security.
• Do not mandate frequent changing
of passwords where MFA is
enabled. Forcing frequent password
changes is why users tend to choose
easy passwords. MFA offers great
protection and without the need to
change the password frequently,
users can choose one complex
password for a long period to enable
complete protection.
• Force change user passwords only
when they leave the organisation
or their role changes. While it’s
important not to change passwords
editor’s question
The ease of use
and reliability of
adding more factors
for authentication
leaves businesses
with no excuse
anymore.
frequently, it is critically important
to change them as soon as the
user no longer requires access to
information. Ideally, this should be
automated as part of the termination
or transfer process.
• Manage passwords of privileged
accounts separately. More
critical than managing personal
account passwords is handling the
passwords of shared privileged
accounts, like ‘admin’, ‘root’ and
other such accounts. These are
high privilege accounts, have no
association with one specific user,
are typically shared by few people,
and hence must be managed through
a separate program.
• Disable direct authentication to
all privileged accounts and have
mechanisms to elevate the privileges
of each user depending on the need.
High security demands only allowing
access for the specific time that the
user needs to get the job done.
• Use a password manager to
implement and automate all the best
practices mentioned above. Often
overlooked, but a great security
investment is to have an enterprise
grade password manager to stay on
top of all password security issues.
29