Build a Strategy for Password Management

Sam has just been locked out of Box. He thought he had memorized the string of numbers, letters, and symbols exactly right, but after three unsuccessful attempts his access has been revoked and he needs an important document for a team deadline, forcing him to send a password reset request and wait for the IT team to help. It was once much easier when his password was the same simple phrase he’s always used, but new IT policies have required unique, more complex passwords across all applications.

This is a common scenario — one that could be fixed with better password management across the organization. Given that 81% of all hacking-related breaches leveraged either stolen and/or weak passwords, IT teams are right to put more stringent policies in place. But for today’s employees there’s enough to remember without needing to stay on top of endless credentials across multiple applications and devices. This means employees are prone to using easy-to-remember (and therefore weak) passwords, repeating passwords, or simply sending help desk tickets each time they forget — a huge time sink for IT teams that reset them. 

While passwords certainly offer a layer of protection to safeguard important tools and data, finding a robust solution for these productivity and security headaches has become mission critical for today’s enterprises.

The issue with password managers

Password managers act as a central storage hub for a user’s variety of usernames and passwords. While they help by reducing the number of credentials that need to be remembered, they aren’t a silver bullet. 

Password managers are prone to human error. Forgetting to log out, using a weak master password, and failing to implement features like two-factor authentication expose protected passwords to risk. In addition, online password management services have been found to have issues in the past when serious flaws jeopardized the security of the passwords they store. Enterprises therefore require a cohesive, considered password management strategy to mitigate this risk.

Building the foundation of an effective password management strategy

A password management strategy allows companies at any stage of the cloud journey to evaluate their current password processes and identify how best to safeguard passwords in the future. The broad objectives of a password management strategy should be to provision airtight security while improving usability and reducing infrastructure pressure-points. 

Start by identifying and reviewing any current internal policies for password management. Help desk logs can expose organizational password issues and reveal both the complexities of current policies and the applications that trigger the most reset requests. At this stage, it’s also important to understand which usability elements signal strong user-adoption, and how you can increase the robustness of password security by introducing expiration policies. 

According to our 2018 Businesses @ Work report, the typical organization in the Okta Identity Cloud enforces the following password policies:

  1. A minimum length of eight characters
  2. At least one lowercase letter, one uppercase letter and a number
  3. A maximum of ten password attempts before locking a user out of his / her account
  4. Recovery tokens expiration period is set at one hour
  5. Prohibit any password that includes the username

And while this creates a strong starting point, it’s just the beginning of a strong password management strategy.

Two simple solutions for better security

Cloud IAM solutions do the heavy lifting for organizations, simplifying password management and offering a host of other benefits which include mobile availability, increased productivity, and the option to connect thousands of devices with countless apps in a secure and efficient way.

A single sign-on solution can encourage strong adoption by offe