Build a Strategy for Password Management

Sam has just been locked out of Box. He thought he had memorized the string of numbers, letters, and symbols exactly right, but after three unsuccessful attempts his access has been revoked and he needs an important document for a team deadline, forcing him to send a password reset request and wait for the IT team to help. It was once much easier when his password was the same simple phrase he’s always used, but new IT policies have required unique, more complex passwords across all applications.

This is a common scenario — one that could be fixed with better password management across the organization. Given that 81% of all hacking-related breaches leveraged either stolen and/or weak passwords, IT teams are right to put more stringent policies in place. But for today’s employees there’s enough to remember without needing to stay on top of endless credentials across multiple applications and devices. This means employees are prone to using easy-to-remember (and therefore weak) passwords, repeating passwords, or simply sending help desk tickets each time they forget — a huge time sink for IT teams that reset them. 

While passwords certainly offer a layer of protection to safeguard important tools and data, finding a robust solution for these productivity and security headaches has become mission critical for today’s enterprises.

The issue with password managers

Password managers act as a central storage hub for a user’s variety of usernames and passwords. While they help by reducing the number of credentials that need to be remembered, they aren’t a silver bullet. 

Password managers are prone to human error. Forgetting to log out, using a weak master password, and failing to implement features like two-factor authentication expose protected passwords to risk. In addition, online password management services have been found to have issues in the past when serious flaws jeopardized the security of the passwords they store. Enterprises therefore require a cohesive, considered password management strategy to mitigate this risk.

Building the foundation of an effective password management strategy

A password management strategy allows companies at any stage of the cloud journey to evaluate their current password processes and identify how best to safeguard passwords in the future. The broad objectives of a password management strategy should be to provision airtight security while improving usability and reducing infrastructure pressure-points. 

Start by identifying and reviewing any current internal policies for password management. Help desk logs can expose organizational password issues and reveal both the complexities of current policies and the applications that trigger the most reset requests. At this stage, it’s also important to understand which usability elements signal strong user-adoption, and how you can increase the robustness of password security by introducing expiration policies. 

According to our 2018 Businesses @ Work report, the typical organization in the Okta Identity Cloud enforces the following password policies:

1. A minimum length of eight characters
2. At least one lowercase letter, one uppercase letter and a number
3. A maximum of ten password attempts before locking a user out of his / her account
4. Recovery tokens expiration period is set at one hour
5. Prohibit any password that includes the username

And while this creates a strong starting point, it’s just the beginning of a strong password management strategy.

Two simple solutions for better security

Cloud IAM solutions do the heavy lifting for organizations, simplifying password management and offering a host of other benefits which include mobile availability, increased productivity, and the option to connect thousands of devices with countless apps in a secure and efficient way.

A single sign-on solution can encourage strong adoption by offering unrivalled ease-of-use and simplicity. Okta’s own Single Sign-On makes user login times 50% faster by giving employees one single point of access to every web and mobile app they need. Consequently, it also reduces login-related helpdesk calls by 50%. 

The second critical component is adding a second factor. Multi-factor authentication (MFA) should also be part of every password management strategy. As password guessing algorithms become more and more sophisticated, organizations need to round out their password management strategies by requiring strong passwords and enforcing MFA on all logins — whether that means adding a secondary email, text, or voice one-time password (OTP) or a push notification via an app like Okta Verify. MFA is also required for various compliance regulations, such as NIST.  

The last phase of a solid password strategy is ongoing review and refinement. Organizations must assess the impact of the new strategy by performing health-checks on a regular basis. Based on what information these yield, IT teams can assess what pain points still exist and drive greater user adoption and overall company security.

Looking for tips for implementation and adoption across your team? Download Okta’s Adoption Toolkit here.

Effective password management in practice

A strong and secure password management policy can be a challenge for organizations of any scale. Defined, research-driven password management policies represent half the battle, but true success lies in the execution. For example, by giving their end-users just one set of credentials to remember, Envision Healthcare nearly eliminated all password resets for their IT admins—a problem that previously cost them $100K annually.

Implementing a cloud based IAM password management strategy is straightforward. With Okta, you’re up and running on day one, with every app and program you use to work instantly available as all the heavy lifting has already been taken care of. The process is as simple as adding your apps, adding your users and then launching.