Password policies alone cannot mitigate all attacks against passwords, so there is limited value in aiming for a perfect set of rules.
Nevertheless, according to Ant Allan, research vice president at Gartner, IAM leaders are still being drawn into lengthy discussions about what a corporate password policy should look like, resulting in no significant improvements in security, and diverting time and effort away from other initiatives. “Password policies alone cannot mitigate all attacks against passwords, so there is limited value in aiming for a perfect set of rules,” Allan says. “That time and effort would be better invested in assessing and implementing the technical controls that can more effectively mitigate the likelihood, or impact, of the majority of identity-related breaches.”
Instead of focusing on the perfect policy, IAM leaders should set strict limits on the time allocated to policy creation, review and revision. Here there are two equally important steps to consider. The first is to agree on rules that meet applicable regulatory and audit requirements, respect user experience (UX) needs and can be feasibly implemented and enforced. The second is to craft a policy document that sets out the rules and responsibilities in clear, straightforward language.
IAM leaders should assess the benefits of compensating controls that can mitigate the risks of password exposure in the first place, and of the risks posed by exposed passwords.
Of course policy alone cannot mitigate all attacks against passwords. Most risks are more effectively alleviated by technical controls or more robust authentication methods. Gartner predicts that, through the end of 2020, enterprises that invest in new authentication methods and compensating controls will experience 50% fewer identity-related security breaches than peers that do not.
IAM leaders should assess the benefits of compensating controls that can mitigate the risks of password exposure in the first place, and of the risks posed by exposed passwords. Some of these controls can provide other significant security benefits, and implementation can likely be justified on those benefits alone. A secure email gateway (SEG), for example, can help combat phishing attacks. Other controls are specific to password risks, and the decision to implement should be made on a cost-benefit basis. More robust authentication methods could include two-factor authentication (2fa), also known as multifactor authentication (MFA), such as one-time password (OTP) hardware tokens that add a second factor to an existing password.
Others, such as (single-factor) biometric methods or (two-factor) PIN-protected public-key authentication tokens, can eliminate legacy passwords altogether. Such methods, however, come at a significant expense, not only the cost of hardware tokens, biometric sensors and infrastructure licenses, but also the cost of implementation and ongoing administration and support - not to mention the financial and cultural costs that arise from inconvenience, latency, workforce resentment etc.
“In terms of the business case, if the estimated risks or actual losses experienced by an enterprise are acceptably low, then the benefit of switching is not compelling,” Allan says. “Prudent IAM leaders will nevertheless seek to implement higher-trust authentication for higher-risk people, such as system administrators and those who handle sensitive or critical data, as well as higher-risk use cases, such as remote access to a corporate network. In some cases, regulatory or audit requirements will compel them to do so.” Newer authentication methods, such as mobile push and methods based on FIDO authentication protocols, offer better user experience and lower cost than legacy 2fa methods, lowering the cost of switching and putting “2fa for all” within reach of many more enterprises.