The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.
It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior.
Traditional password protection policies, such as those described by Jeremiah Grossman, one of the industry's top researchers at WhiteHat Security Inc., can be implemented to reduce the risk of an intruder impersonating a user. However, even if the password policy works, it is often unacceptable for IT to disable accounts after a number of bad logon attempts. The business often relies on out-of-wallet questions to avoid expensive help desk calls and a security investigation.
End users are also storing passwords in their browsers for automatic logon and those passwords are often used for multiple accounts in different businesses. The result is an organization that is dependent on another organization's security program to protect a password.
Making matters even more difficult for IT is the changing nature of the threat landscape. Attackers are finding it more effective to harvest passwords from keystroke loggers, Trojans or phishing scams.
Two factor authentication through the use of mobile phones or tokens for high-value, off premise or privileged accounts is one direction an enterprise can take. Two factor authentication, which usually involves a physical device in addition to knowledge of a password/PIN secret, works because the authentication credential is enormously difficult to guess and the user can report the loss of the device leading to a security reset of the account credentials. An enterprise that uses single sign-on for critical application remote access, but does not rely on a form of two factor authentication and instead entrusts the keys to the kingdom in a single password, has an irresponsible security policy.
Organizations should also be proactively auditing account activity for signs of break-in attacks, including failed logon attempts, concurrent logons and logons at strange hours. Irregular logon activity may indicate an attack in progress (valid username, invalid password) or a potentially compromised password. A simple phone call or email exchange with the affected end user will confirm acceptable user access or a security incident, in which case IT can take corrective actions with the account credentials and launch a security investigation to determine the extent of the breach.
Security organizations are defending against passwords on multiple fronts, while acknowledging that 100% security is unattainable. Endpoint security software has to detect and block keystroke loggers and Trojans to protect passwords. A user responsibly writing down passwords and prohibiting Web browsers from automating logons also reduces the security risk.
The most effective protection is constant vigilance to identify suspicious logon activity.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.