Managing the Password Dilemma

Let'due south face it, passwords stink. They're easy to steal, easier to forget, and they create work for your staff. What's worse is that they're not really very good security for all sorts of reasons. But for now, we're stuck with them.

Fortunately, there are things that you can do to reduce your take a chance, and more importantly, increase your level of compliance with requirements ranging from the Health Insurance Portability and Accountability Act (HIPAA) to the Sarbanes–Oxley Act (SOX). But you also need to practise it in a way that doesn't add to your direction burden more than than necessary and that doesn't cost too much. And, of course, it needs to work in all the places where your employees work.

Before you rush into a search for countersign alternatives, however, it's probably a good idea to give some thought to your password policies, remembering that they demand to be used past people. This means that requiring passwords that are too long or too complex will actually subtract their effectiveness in addition to increasing the cost to you.

Their effectiveness is reduced because people write them down so they won't forget, or they forget and your IT department has to perform a reset, which costs you money. Or you need to add a "forgot your password" feature, which has its own fix of risks and complexities.

You also demand to retrieve about your requirements for routine password changes. A number of studies indicate that they're probably not necessary and that they have the same downsides as overly complex or long passwords, except that they happen more often.

But even with a rational password policy, this nevertheless isn't a very good style to maintain your compliance level. Clearly y'all demand something else. This is where a 2nd authentication factor comes in.

Second Authentication Factors

For large organizations where most employees work in the function, the most obvious solution is to apply the ID badge equally a second factor. In near all cases, including the regime and many Fortune 500 companies, this means adopting the smart card every bit that 2d factor. This isn't a new arroyo and it's widely used. The difference is that the cost of entry is now vastly lower because Windows 10 now includes support for smart cards as a security technology.

But smart cards aren't necessarily the best solution for every company and they're non a solution at all for a mostly mobile workforce. While you tin can purchase laptops with an integrated smart card reader, you lot're not going to find this as easy to achieve with your employees who use smartphones or tablets as function of their work.

The obvious solution for mobile users might be to adopt a dissimilar form of 2-factor authentication (2FA), such as sending out a numeric lawmaking using SMS. Every phone that's currently available supports text messaging, and while it entails a brief delay in access while users wait for a text bulletin to arrive, it actually works well and it's secure since modern phones unremarkably crave a biometric log-in or their own passcode earlier they will work.

But to be even safer, it's possible to use a dedicated application to gain access to your data systems. The challenge there is, you lot'll demand to develop an app for each type of smartphone your employees employ. You could also use a spider web app but and so yous're dorsum to the password problem again, unless you're prepared to do some web evolution that would let authentication via your employee smartphones, which is not incommunicable merely also not trivial.

By at present you might be wondering nigh those whole-manus print readers you meet at some data centers or you might be thinking about fingerprint or retinal browse readers. Those all can piece of work well and they're an obvious solution for a high-value installation, such every bit your data center. But they require a pregnant investment in infrastructure and they require people to manage them. We're trying to think about ways to improve compliance without adding people or spending too much coin.

Other Means to Improve Compliance

What this means is that yous'll need to take more than one approach. For your office workers, y'all might implement smart cards every bit a factor in authenticating your employees. This has advantages for concrete security in addition to helping your compliance, and the cost of entry is within the reach of even smaller organizations.

For reference, smart card readers that work with Windows are available in quantities of one for about $10. Keyboards with integrated smart card readers toll equally little equally $25 in quantities of one.

For your mobile users, you may want to call back well-nigh using SMS messages for 2FA. This is something that you've certainly seen already, whether you're working with Apple or Microsoft or a number of other sites. A number of companies will handle the procedure for y'all. Ane example is Twilio simply there are others.

What matters is that y'all tin can do something virtually your password dilemma while not having an undue affect on your staff or your budget. Your path to compliance will exist easier because you lot've provided greater access security, and you might even ease your staff load by adopting policies that piece of work, while also adding a level of security. For yous and your It team, information technology'southward a win on all sides.

Source: https://sea.pcmag.com/feature/19103/managing-the-password-dilemma

Posted by: smithexciou.blogspot.com

Share this post