Passwords are certainly in the spotlight these days. After years of being virtually ignored, now suddenly there are entire efforts like the U.S. National Strategy for Trusted Identities in Cyberspace that aim to improve password security and management — and even eliminate them all together in favor of some new yet-to-be discovered technology.
Nervepoint Technologies has been working on the forefront of password security and management for many years and is in a unique position to comment on the evolution of password security and the future of this bedrock principle of cybersecurity.
Lee David Painter has been on the frontlines of password protection for more than two decades. In fact, Painter developed the world’s first OpenSource browser-based SSL VPN, called SSL-Explorer, to beef up password-based security. Today, Painter runs Nervepoint Technologies, a leader in password self-service tools. FedScoop talked with him about a few ways the government could improve password security by thinking of it in a slightly different way.
Can you tell us a bit about Nervepoint Technologies and why the company was formed to work in the password protections field?
Painter: With so much of tech moving at such high pace, the password has never changed much in its application nor its use. So much of our world is still protected by passwords.
Having been in the security field for 20 years, we know how important it is to keep these seemingly inconsequential alphanumeric sequences secure.
We realized that despite the advancements, passwords were still being ignored and not properly managed, with sometimes convoluted processes in place just to get a password updated.
We wanted something to manage our passwords [and] allow us to securely reset or change our passwords when we needed it. It had to be simple to use not just for the end users but also for the admin to set up and manage. This is why we released the first-ever password self-service product that is deployed as a virtual machine. No, setup, no prerequisites, just upload and press play.
Why do you think that until very recently, government agencies, and most others, have mostly ignored password management and password security as part of their overall IT security planning?
Painter: I think there are a number of reasons, but one that I will highlight is the misunderstanding that passwords are not important.
Passwords are so widely used and almost flippantly without any consideration to enforcing secure methods of setting, storing and even defining passwords. What we’ve done is expanded our range of products from on-premise to cloud, which all rely on passwords. So our most important systems are secured by passwords, which we continue to disregard as important enough to be thoughtfully secured.
It’s almost now a reactionary process, rather than a planned risk mitigation process.
What are some of the biggest problems you have seen with password management and security after working in this field for many years?
Painter: Disparate password policies are quite an issue still, IT reducing security for C-level execs. Any policy, especially security-related, needs buy-in and adoption by everyone, including those at the top of the chain. Password issues account for such a large number of IT requests that government can be losing hundreds, if not thousands, of dollars and man-hours each month responding to them, and this is compounded by organizations that operate internationally, as many government agencies do.
Not only does this cause financial and productivity loses, but it is also the catalyst for some of the smaller issues we see users carry out, such as writing down passwords or using repeat passwords. So you end up with a distrustful workforce where they hate the long processes to do something so simple, and IT don’t trust staff with their own accounts
Are you saying that password management can be automated? How would that work and how would users be able to securely reset their passwords while keeping an organization safe?
Painter: Yes, password management can be automated and can improve overall security in government. Firstly, through a central point, they can manage passwords for Active Directory, Linux, Solaris, Google Apps and Azure AD Office 365 accounts. Just that convenience is compelling enough to see the security benefits.
Secondly, increased security through password expiration reminders so users don’t even get to the point where they need to reset their passwords.
Thirdly, they now have a system that enforces strict behavior; secure password policies, deny reuse of old passwords so you are combining the convenience of self management with secure password policies.
Taking that security further, any access to your account to change or reset a user’s password can be locked behind the secure multifactor authentication schemes that the government requires, so only the correct user is able to modify their own password and reducing the chance of identity theft.
Does this also eliminate user errors, such as people using the same password over and over again?
Painter: Yes, and that is all too often an easy way out for users, and we take it further for Active Directory — we also take stock of any changes of passwords that happen outside of Access Manager’s purview, [Access Manager is a product of Nervepoint Technologies.] and we keep an eye on Active Directory so even if you used another app, we’ll know of the change.