As the global pandemic prompted organizations worldwide to implement huge work-from-home programs, we reached out to offer help with securing the newly created remote-access channels with multifactor authentication (MFA) through our Defender product. We knew that Defender would be a great fit: easy to configure and quick to deploy. We also knew that it could reduce complexity in a time of crisis. The response was overwhelming, as IT departments around the world deployed Defender to protect their scaled-up VPNs and remote access solutions.
Now we turn to the other factor: the passwords. These are still ultimately the keys to the kingdom, and protecting, securing and managing them is critical from a security and access perspective. Not only do we use passwords to restrict attackers from reaching corporate resources, but also we need them to enable our colleagues to do their jobs, to access systems they need and to get information they require.
Expanded access and potential attack surface
A compromised password is always costly – and the stakes are higher than ever. However, what you may not realize is that the remote access you just rolled out created a whole new attack surface for your organization. Potential attackers now don’t have to deal with the physical security of your office buildings, and as long as they have the correct login data, they can access your corporate network and all its riches. Considering the billions of login data stolen from various organizations in gigantic data breaches, we recommend changing passwords for all remote workers as the work-from-home program is rolled out.
And with the recent revolution in password policy guidelines, now is the best time to implement these in your organization, too. If you want to know more about the recent shift in password security, here’s a summary:
Industry recommendations, like the NIST-published Digital Security Guidelines and the Microsoft Security Baseline, now recommend dropping password expiration policies, removing complexity rules, and asking for longer passwords.
One Identity Password Manager can help solve your password challenges. Password Manager is a self-service management portal where all users can unlock their accounts, and reset or change their passwords without involving IT support. Like our Defender solution, Password Manager is easy to deploy, and the ROI is nearly instant: the self-service portal immediately offloads the vast majority of password-related tasks that typically fall to your Help Desk team. So your IT staff can work on other, more important tasks.
Since Password Manager is a user-facing application, we put a lot of effort in making it easy to navigate. Every minute we spend on fine-tuning the UX means hours saved in support phone calls, and that is why we just unveiled a redesigned user interface. While still in opt-in phase, we encourage all organizations to switch to this cleaner, simpler UI.
Notably, our team at Quest-One Identity just did the same thing in-house. Through our use of Password Manager, we introduced new password policies that better address the threat environment and optimize user behaviors. We decided to expire all current passwords and prompt a company-wide password-update wave to migrate everyone to the new NIST and Microsoft-recommended policies. We stopped expiring passwords and did away with the usual complexity rules, too. Instead, we asked our users to implement longer passwords (or passphrases) and change passwords only when we get a hint they might be compromised.