Password Problems, Policies, Practices, and Planning

Organizations must have a password policy that can be implemented or quit wasting valuable operational and management time and resources with complex, archaic, and insecure systems in the enterprise. There are supplements that strengthen passwords, and many can be implemented before deploying technology.

META Trend: Driven by compliance and cost, organizations will focus on identity as a business asset. Identity management will continue to confuse, but grow, as more organizations spawn projects around identity infrastructure (e.g., enterprise directories, Web SSO) and user life-cycle management. Web services (2005/06) will expand identity to non-person users and exacerbate the need for identity solutions. Identity infrastructure will be incorporated into application infrastructure "stacks," incorporating finer-grained authorization (2004-06), and cease as a standalone market (2006/07). User life-cycle management will draw closer to other operations functions (2006/07).

Essential Problems With Passwords
Passwords have represented a basic information security problem for decades. Built into operating systems and later, with the advent of client/server and Web applications, into application environments themselves, they were provided in conjunction with an “identifier” (e.g., an ID) as the basis for authentication. Unfortunately, each operating system and application environment has seen fit to implement passwords differently. Therefore, a common method for handling them has been elusive. The rapid proliferation of Web applications, different classes of users (e.g., contractors, business partners), and client types (e.g., laptops, kiosks, personal digital assistants, mobile phones) has exacerbated the problem. Various attempts to address this problem have resulted in the birth of the enterprise single sign-on (SSO) market (see Figure 1), the password synchronization market (see Figure 2), and the Web SSO market.

Our research finds that most IT organizations (ITOs) are deploying an “identity infrastructure” that abstracts authentication services into the infrastructure for many applications, using directories and Web SSO products to deliver basic capabilities. However, technical infrastructure does not solve the problem of passwords faced by most enterprises. Password policy is part of a comprehensive security policy driven by specific business requirements, which are in turn driven by the value of the information accessed. Many enterprises either devote too much time developing convoluted policies and practices for access to applications and resources that do not require significant protection, or spend too little time protecting key applications with those same policies or strengthening passwords when really needed in cost-effective ways (see Figures 3 and 4).

How Many Passwords Are Enough, and How Few?
Unfortunately, password engineering obscures key issues of authentication and authorization for enterprises. ITOs focus on immediate tactical means to relieve problems, administering or managing them without addressing fundamental security concerns. For example, both Liberty Alliance and Web Services Federation technical specifications attempt to address federated identity where a common password (whether generated by a human or electronically) may ultimately be used to access multiple applications and resources. However, if such applications require varying degrees of privilege to access them, the authentication service must seamlessly integrate with an authorization service to provide the necessary checks and balances.

ITOs are now evaluating the relationship of the authentication service per “group” or domain of applications to the authorization service per application, to determine the appropriate ratio based on their security architecture requirements. To a large extent, this can determine the role of SSO in their enterprises.

Password Problems
During the past two years, our research has found that more than half of the evaluated customer password implementations and policies are not working for customers. Password policies frequently do not match the classifications of data or services in the enterprise. Password procedures do not reflect the trust levels assigned to the security domains. There are inadequate processes, skill sets, training, tools, awareness, and communication among all levels of business and the ITO that would meet success criteria. Many businesses and agencies have been noted by their respective auditing firms for non-compliance to specific new and existing regulatory privacy, financial, and security-related areas (see Figure 5). This adds up to a high risk for the customer in more than one area of concern.

One-Time Password (OTP) Potentials
The February 2004 announcement of RSA’s SecureID for Microsoft Windows underscores the growing trend by many to consider the use of OTPs as supplements to enhance password authentication or as replacements for traditional password authentication. The limiting factor of this and other methods of password replacement or supplement (e.g., soft tokens, smartcards, biometrics, certificate-based systems) has been the cost of implementation. Even the simplest form of token authentication for a 1,000-user implementation could carry a life-cycle cost over five years of between US$30-US$50 per user/year, depending on maintenance and integration costs. Such answers do not provide comprehensive authentication solutions for the complete application portfolio, only the most basic answers. Customers should consider such alternatives but not as a complete replacement strategy for passwords. Much remains to be done in planning and process before making such a move.

Identity and access management has become a major security item for many ITOs. Identity management is actually a collection of multiple functions aimed at administering and managing identities, of which IDs and passwords are part. Password management and administration are significant subcategories ITOs will face for project prioritization, along with user provisioning, workflow, and auditing. This reflects how far passwords have come from the days when they were considered a nuisance by customers and a headache by help desks and administrators. It also provides direction to customers regarding who should be involved in the decision processes for password planning, processes, engineering, tool selection, training, communication, and management. It is not just the purview of operations or security administration. In fact, with the advent of Web services security, increasing attention will be paid by applications on just how a common authentication method will ultimately work across multiple platform environments. Until then, whether we like it or not, passwords still represent the first line of defense enterprises have for authenticating access to critical IT assets.

Bottom Line: There are plenty of good password practice templates and good password policy models in print. First, enterprises must put password planning in the right place - where information security values access to critical assets. Password policy should reflect data classification, domain structuring, and trust management. Comprehensive password solutions will not just be packages for help desk relief or administering synchronization, but will also be part of information security architecture that addresses authorization and SSO.

Business Impact: The effort put into password planning, policy, and practice should match the quality and value of the secrets they protect.

META Group originally published this article on 29 June 2004.