5 ways to escape password hell

Security can be a vicious cycle. A breach occurs. Enterprises add a new level of security. That increases inconvenience for users, who find workarounds. Then there’s another breach and the cycle begins again.

“Every time we have a breach, we add another three feet of security fencing, and expect the users to just climb three feet higher,” says Andre Boysen, chief identity officer at Ontario-based SecureKey Technologies.

One of the coping mechanisms that users adopt is to share passwords across multiple sites – once any of those sites are compromised, all of those accounts could potentially be compromised, including those that are work related.

“And as much as we’re in password hell now, the second factor hell that’s coming is even worse,” he says. Text messages, smartphone apps, USB key fobs, voice, video and thumbprint scanners – the second factor technologies are multiplying with no end in sight, and no clear winners.

+ ALSO ON NETWORK WORLD: Best tools for protecting passwords +

“It’s confusing the hell out of users,” he says.

Companies are addressing this issue by reducing the number of passwords their users need, implementing password management tools to help them manage the passwords they have, and switching to more user-friendly second factor systems like smartphone apps.

Here are five ways that companies are addressing the password problem:

1. Cloud-based password management services

Implementing single sign-on is tricky enough in a centrally managed organization. It can be nearly impossible when trying to impose it on autonomous units.

That’s the kind of password problem Rotary International was facing. The global service organization has 1.2 million members, who are part of 34,000 different clubs.

Since the clubs are autonomous, a member might have one login and password for the club website, another for the regional site, another for the national site, and even more for mobile apps and other services developed by fellow Rotarians.

“It was a home-grown hodge-podge of things,” says Peter Markos, CIO of Evanston, Ill.-based Rotary International, the parent organization.

The challenge was to update security throughout the organization, including for the autonomous club websites. “That led us to the cloud,” he says. Specifically, it led them to Octa, an on-demand identity and access management vendor.

Plus, cloud delivery meant that Rotary would be getting constant improvements. “We can now offer security as a service,” he says. The local club can send the login request to the parent organization, which acts as the central hub that all clubs and members can connect to.

“It simplifies the life of the club,” he says. “They don’t have to manage their own users. And it simplifies life for the member, and makes the wealth of resource around the globe easier to access.”

The most difficult part of the process is getting the individual clubs on board. Around 8,000 clubs use off-the-shelf club management software, and the security as a service is already available through that channel. Another 1,000 or so clubs have switched over on their own. Markos says the adoption rate is starting out slow, but he hopes that it will pick up as the technology proves itself and reaches critical mass. “There’s a lot of reluctance to give up control,” he adds.

Rotary is also looking at changing the way the passwords themselves look, away from the standard eight-character password that they launched with.

“We’re looking at getting rid of the special character, the capital letter, the number, and just increasing length, encouraging them to use a phrase,” he says. “It’s really length that’s going to provide the security and address brute force type attacks – and our members will be appreciative of something easier to remember.”

2. Off-the-shelf password management software

Secure-24, a Detroit-based managed hosting company that serves automotive, manufacturing and healthcare companies, has a similar problem – the company has to manage passwords on behalf of its clients, who need their own, secure access to their systems. And there’s a twist.

“They’ll have us create passwords for different servers and different technologies – but they wouldn’t want us to know them or save them or remember them,” says Eric Zehnder, the company’s systems improvement engineer.

To solve this problem, Secure-24 turned to Thycotic’s Secret Server enterprise password management software. The software provides automated password management for multiple clients, in multiple domains.

And there’s no risk of the passwords getting into the wrong hands. “The users never even know the passwords,” says Kevin Jones, Thycotic’s enterprise information security architect.

3. Smartphone apps for two-factor authentication

Of course, users do have to authenticate themselves to the system at some point to start with. Eliminating the total number of logins means that that first login becomes more important.

Secure-24 uses two-factor authentication to securely identify users but here, as well, the company is working to make the process simpler.

In the past, the second factor was typically key fobs – RSA Security ID or Vasco Digipass, depending on client preferences. That worked out well for those employees who kept their fobs on their key chains.

“How would they get to work if they didn’t have their keys?” says Secure-24’s Zehnder. But some employees kept theirs on lanyards, which were easier to forget at home.

Plus, telecommuters might not have their keys on them while working. “I usually have my phone with me, but I don’t usually have my keys with me,” says Zehnder.

The company is now moving away from the key fobs to apps that run on iPhones and Androids. “I notice that there are more numbers too – our soft tokens have an eight-digit PIN, and before it was only six,” he adds.

The phone-based systems can be quite a bit less expensive, as well, he says. Secure-24 used to buy big racks of key fobs, at around $100 each. “For these tiny little key fobs,” Zehnder says. “One client that had to use them with our technology would get very angry every time someone lost theirs because it was expensive to replace. The app is free – so it quite a bit cheaper.”

Plus, if a phone is lost, it’s easy to disable the app remotely, he adds. And now there’s even more good news for fans of smartphone-based second factor systems. As part of the iOS update in September, Apple has opened its Touch ID fingerprint sensor to third-party developers.

“I wouldn’t be surprised to start seeing password apps that use your fingerprint to generate a random password or random code,” says Charles Tendell, founder of security consulting firm Azorian Cyber Security. “And with it being simpler, we’ll see more widespread adoption.”

Charles Tendell, founder of security consulting firm Azorian Cyber Security

This area of security technology is evolving quickly, says Maria Horton, founder of EmeSec, a security consultancy. Horton was previously the CIO for the National Naval Medical Center and now works with a number of federal agency clients.

The financial sector is going to be very influential when it comes to the development of this technology, and the government sector will also be a significant player.

Two years ago, the main issue at the federal government level was knowledge sharing, she says. “But part of the knowledge sharing was difficult because of identity access control,” she says. So, this spring, a new initiative was launched around identity credentialing and management.

“It’s in the aspirational stages,” she says, but the federal government is recognizing that this is an issue, and has begun exploring potential strategies.

“I think you will have a handful of winners,” she says. “If we ever try to go to a single winner, we’ll actually increase risk in the system because that winner will be targeted – and also because then there’s no reason to increase functionality or capability.”

4. Privileged users first

Converting an entire organization to a new password management or authentication system can be extremely difficult, especially when users have to change their behaviors.

Ken Ammon, chief strategy officer of Virginia-based security vendor Xceedium, suggests that companies start with their privileged users first. It’s a smaller group, and improving security here will have the biggest return on investment.

For example, some companies use role-based access, or have multiple people sharing the same administrator account, or allow root users. “There’s no way to tell who’s doing what,” he says.

If a hacker gets into a company’s systems, and is able to worm their way to those credentials, they can also do a significant amount of damage.

In fact, that’s exactly what happened with many of this year’s top security breaches, including the eBay breach earlier this year, where hackers made off with about 145 million user records.

Cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s customer database, eBay reported in a statement.

5. Passphrases instead of passwords

Another relatively simple place to start is to move away from the standard password type – eight characters, with symbols, numbers, and capital letters – and instead allow your users to have long but easy-to-remember passphrases, instead.

“Based on all the training we have given our users over the past few years, the only good passwords are ones that they can’t remember,” says Keith Palmgren, member of the cyber defense curriculum team at SANS. “A longer password, something you can remember easily – like ‘i went fishing last saturday night’ – is a very good password even if it’s all lower case. It’s not going to show up in any hacker’s dictionary. If a company that’s trying to do the right thing but can’t afford to move to the two-factor, token-based or biometric authentication systems, they should take a closer look at their password policies and start changing them up a little bit and making them a little bit more realistic.”

Another thing that companies can do is offer their employees the use of personal password management tools, so that they aren’t tempted to use the same passwords at work as they do on personal websites.

Palmgren uses LastPass. “I have an online banking password that is 30-some characters in length,” he says. “It is highly complex and I don’t need to remember it because LastPass does it for me.”

Some companies have begun getting the enterprise version of LastPass for their employees, he says. LastPass is a cloud-based service that works in conjunction with a locally installed desktop or smartphone app that handles the encryption.

“The only thing stored on our servers is the encrypted blob for which we don’t have the key,” says LastPass spokeswoman Cid Ferrara.

More than 5,500 organizations use LastPass, she says, from small and midsize companies to Fortune 500s. Work and personal passwords are kept separate, but are linked so that users don’t have to switch between their personal and work LastPass accounts.

Companies can use the platform in combination with a wide array of second-factor authentication technologies or with SAML-based single sign-on systems.

It allows companies to manage the members of a team who, say, share access to accounts. These shared password folders are one of the main differences between the consumer and enterprise versions of the service.

“You might have a team of five marketers, but they all need to share that credential,” she says. “Shared folders can do that securely, without losing any trackability.”

Korolov is a freelance writer. She can be reached at maria@tromblyinternational.com.