Another day, another breach.
We haven’t received details yet, but we’re sure to hear that poor passwords were at least partly to blame in this week’s massive Evernote breach. And Bank of America’s. And [insert company name here]’s.
It seems that we may never get passwords right.
There are many reasons for this.
First, passwords may be the most targeted of all security controls. They are, after all the keys to the kingdom. If you hit something hard enough, long enough, it’s going to break. Even the toughest passwords can be cracked.
Second, passwords may be the most numerous of all security controls. I have 200 times as many passwords as I do firewalls, access control procedures or data classification policies. A typical organization may have 10,000 passwords for every other security control they possess.
Third, passwords may be one of, if not the most dynamic of security controls. Think about how often you create new passwords or change existing passwords. You don’t see this level of volatility in other areas of security.
Last, passwords are often designed, implemented and administered by the unwashed masses. Unlike other controls, they may not be reviewed by a committee, subject to monitoring or in the worst case – even required.
So what’s the secret to solving this problem?
Lowering our expectations.
Lowering our expectations? That’s the secret? Yes, don’t be alarmed. Because as sad is that sounds, expecting less of passwords (and the people who create and enforce them) should give us pause about the controls that compensate for these historically weak protections.
Remember that the goal of your security program is not to create one impenetrable wall, but rather to create a system of defenses that together are strong enough to withstand the threats that you are likely to encounter. Your passwords are just one piece of the puzzle.
Spending too much time on developing the ultimate password scheme, training your workforce on developing perfect passwords and monitoring for 100% password compliance may potentially distract you from the job at hand – protecting the crown jewels.
Good generals know it’s not about winning every battle, but winning the war.
Many organizations recognize this and are moving towards requiring or recommending multi-factor or other out-of-band authentication mechanisms to support passwords. Certificates, biometrics and other controls are becoming more popular for this reason, as well.
Take a look at what you’re doing with passwords and decide how practical and effective your efforts are. Don’t make excuses – you can’t lower your expectations so far that passwords offer no protection.
But lowering your expectations may just increase your defenses.