The shift to working from home is pushing system administrators to adjust to a new security normal. This includes new, high-profile challenges, such as the adoption of cloud applications, remote access to digital assets, and remote client support, to name a few.
That said, good old-fashioned password security remains central to managing perimeter access, identity management, and securing a company’s digital crown jewels. This traditionally on-premises practice now has some new, off-premises complications.
Darren James, product specialist with Specops Software, warned that password resets, for example, are a particularly vexing issue for sysadmins, as they can often lockout end-users from their accounts. He said the issue crops up when passwords are reset manually for remote workers.
“The problem lies in the local cached credentials. Normally, they allow users to be verified for authentication when a Domain Controller cannot be reached,” wrote James in a recent blog post. “When working remotely, it creates a problem when the password is changed or reset. The old credentials will still be cached, [and] not automatically replaced by the new credentials using the new password.”
This results in workers being locked out of their accounts: “[They] end up in a scenario where they need to remember both the old password and the new password,” he said.
James said there are a number of workarounds for the problem, but also pointed out that self-service password-reset tools can alleviate the headache. Specops for instance offers enterprise password reset for remote users.
“Our password-reset tool allows users to securely reset their Active Directory passwords right from the Windows logon screen,” he wrote. He said the Specops tool avoids account lockouts by updating the local cached credentials, even when a Domain Controller cannot be reached.
The firm also offers a number of free password-management solutions, which brings us to our first password tip for securing the new work-from-home (WFH) normal.
Tip 1: Use Free Password-Management Tools
Specops offers two free password-management utilities – Specops Password Auditor and Password Expiration Notification Email. The latter works, as its name suggests, by automatically sending users a reminder to change their password before it expires. Specops Password Auditor meanwhile scans a company’s Active Directory and identifies password-related vulnerabilities. “The collected information generates multiple interactive reports containing user- and password-policy information,” according to the product description.
Tip 2: Lock Down Device Passwords
As more internet of things (IoT) devices invade our home offices – from security cameras and cloud-connected printers to smart lightbulbs and thermostats, and digital assistants – password hygiene has moved beyond conventional desktops, smartphones, and laptops. Experts recommend making sure devices are not configured with factory settings that expose easy-to-crack, simple, or default passwords. Many attacks against home-network devices have come in the form of credential-stuffing attacks or the targeting of known security vulnerabilities. Default credentials meanwhile are used by hackers to compromise poorly managed cable modems, routers, and network-attached storage (NAS) devices.
Tip 3: Use Free Password Tune-up Tools
Forrester Research estimates that out of the 43 percent of breaches tied to external attacks, 29 percent of those use of stolen or leaked credentials. To prevent this, employees can check to see if their credentials have been stolen, using the free service Have I Been Pwned. This will let them know if any of their email addresses and passwords are part of a past data breach. Also, a handy, free, in-browser tool is accessible through Google’s Chrome web browser. Visit the Chrome browser’s Settings menu, select “Passwords” and then click on “Check Passwords.” The Chrome tool will scan the browser’s Saved Passwords area and report back how many have been compromised online.
Tip 4: Boost Your Zero-Trust Strategy
Zero-trust security is IT jargon for requiring strict identity verification for any employee or device requesting to access company resources – whether they are sitting within or outside of the network perimeter. Two zero-trust solutions for credential management are multi-factor and two-factor authentication (MFA and 2FA). MFA can include biometric solutions where a password is coupled with facial or fingerprint verification. 2FA requires a user to enter their username and password for account access, and then input a time-sensitive passcode sent to a separate device.
Tip 5: Crack Down on Password Reuse
It’s common sense that using different passwords for different accounts is a safety best practice. And yet, 65 percent of users still use the same passwords for their personal and work accounts, according a recent survey conducted by Google. A separate study by LastPass found that the average person reuses each password as many as 14 times. This lax security practice swings the door wide open for hackers. If a miscreant can crack one account password, there’s a good chance multiple accounts of the same user can be accessed as well.
While a cure for password reuse isn’t nearly as clear as the problem itself, a 2018 study by Indiana University (IU) found that part of the solution involves IT managers setting policies that mandate longer and more complicated passwords.
“Passphrase requirements, such as a 15-character minimum length, deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites,” according to the study. The premise being, the longer and more random the password or phrase, the harder it is to remember and reuse.
Long passwords might be one way to go. However, the National Institute of Standards and Technology (NIST) warned in a January report that the more cumbersome the password and password policy is, the more employee productivity will take a hit – which ultimately leads to poor password hygiene as people take shortcuts to get their work done.
In other words: Striking the right password/security parameter balance is key.
WFH Password Management: Not Going Anywhere
As restrictions slowly lift for people to return to their offices, it is clear that remote IT management of employees and their passwords will continue. According to a recent Gartner study, three-quarters (74 percent) of companies that sent workers home earlier this year plan to have a portion of that workforce remain remote indefinitely.
Passwords will continue to be a critical component in maintaining a strong security posture. And the best way for security teams to free up IT resources is to keep a firm handle on password security, James said.