What Agencies Need to Consider When Updating Password Protocols in 2018

Movies and TV would have us believe that data breaches are long, hard-fought battles between the good guy and the bad guy—and the bad guy wins. That could not be further from reality. Hackers are opportunistic. They want to spend as little time as possible getting into the system, getting what they need, getting out, and exploiting it as fast as possible.

It turns out that the lowest hanging fruit comes from user-generated passwords. According to the Verizon® 2017 Data Breach Investigation Report, 81% of hacking-related breaches were the result of a weak or stolen password.

What does this mean for federal agencies? It means that along with creating a sound security posture through a solid foundation of processes and tools, password security should be top of mind.

Creating a solid password

Ensuring that users create solid, hard-to-hack passwords is a long-standing challenge among federal IT security pros. Users tend to create short, simple passwords or reuse passwords across multiple accounts. Or, they resort to common strategies like switching out every “a” for a “4,” every “e” for a “3,” and so on. The challenge here is that humans are not the ones guessing passwords; humans use machines to guess passwords. So, while the letter-replacement strategy may be difficult for humans to figure out, it’s rather simple for a computer.

What’s the solution, then? How does a federal IT security pro ensure users create stronger passwords?

The National Institute of Standards and Technology (NIST®) has been working for several years to provide updated rules and regulations for protecting digital identities. NIST published these new rules in June 2017. The overall theme of NIST’s guidance on passwords in particular is to keep it simple. Let users create long, easy-to-remember passwords without the complexity of special characters, and upper and lower case letters. The use of a “pass-phrase” instead of a “password” is a key component to alignment with the new NIST recommendation.

Within the overall guidance, NIST provides the following basic guidelines that every agency can follow specifically for creating and protecting passwords.

First, do not rely on passwords alone for protection. Be sure end-users are taking advantage of all possible methods of protecting security—such as implementing multi-factor authentication.

Next, train users to have a better understanding of what a strong password looks like. We used to think that simply having a combination of upper and lower case letters, numbers, and symbols makes a hard-to-crack password. That’s old thinking. A phrase with multiple unrelated words is a far better choice.

Ask users to come up with four random words, then create an image in their heads that brings the four words together. We can picture our favorite snack. This way, we can generate the password i<3ch0c0l8bar$MMM (I love chocolate bars). The password would be quite difficult to hack based on its length and random combination of words, but can be easy to remember through a visual cue.

Third, be sure users are using different passwords for different accounts (banking, email, etc.). It is incredibly common for users to use the same password for multiple things—particularly if the password is complex and difficult to remember; this is highly insecure and should be just as highly discouraged. Their government network password should not be the same one that they use in everyday life. This limits the exposure should one occur.

Finally, encourage users to consider implementing a password management solution. A password manager generates and stores all user passwords—and any other security-related information, such as PINs, credit card numbers, or CVV codes—across all online accounts, in a single location. With a password manager, users need only remember one password. Easy.

In our federal environments, we aren’t lucky enough to simply grab a best-in-breed commercial password management solution. System architects and engineers should consider a business case for privileged access and password management at an enterprise level. There are many robust and approved ways to help keep the systems safe and secure. Hackers are creative, and IT teams should be too.

Creating a foundation for solid passwords

While creating the password itself is ultimately the user’s responsibility, there are things that federal IT security pros can do. Start with the NIST guidance, ensure that your agency-specific policy is up to date, and implement proper controls and solutions to meet the established goals. Beyond password creation and protection, federal IT security pros should work with internal security teams to regularly scan the network and ensure proper compliance.

The old adage is true: a chain (in in this case, your agency) is only as strong as its weakest link. So, be sure to have a solid security foundation, routine security awareness training, and implement testing and validation processes often as possible. Reducing your exposure and being proactive in addressing weakness will make your agency a far more difficult and less appealing target.


*Article by Paul Parker, Chief Technologist - Federal and National Government, SolarWinds