top of page

Password / Credential management 

  • Writer: Robert Rybicki
    Robert Rybicki
  • Feb 18, 2023
  • 2 min read

International Maritime Organization (IMO) Cyber Security Superyacht

What is it about?

Most of the organization have many problems with credential management. Even though password changes (that's a good scenario) are enforced, it's done without understanding the underlying risk and concepts.


People responsible for password complexity policies don't consider psychological constraints preventing people from remembering such passwords. This automatically leads to people writing them down or otherwise bypassing the purpose of setting complex, frequently changed passwords.

ree

In case you didn't get it... people don't understand complex passwords, and complex passwords are not necessarily more secure.


Security Professionals need to realize that more complexity does not equal more security.

A more usable and reasonably secure password is a much better idea than a complex one being written on the sticker attached to the monitor.


Helping people remember their passwords or providing them with additional usable forms of authentication is very important. his is especially valid for system administration personnel, who need to remember dozens if not hundreds of passwords for all kinds of enterprise systems.


If you don't provide them with a well-maintained, secure, and USABLE system to manage the different passwords for all the server and devices - they will start reusing passwords. It's inevitable.

The idea of using a sentence (with the spaces) has surprised many of my non-technical friends in its effectiveness in terms of memorization and security. Why nobody thinks about it :)?

Another thing…


Why do you really need to change a password every month / 3?


Do you really think that forcing people to change their passwords every one or three months is making their passwords more secure? It is the opposite.

At some point, people will start writing them down or using very insecure and easy to guess changing patterns, such as adding a digit and rotating from 1 to 12 through each month of the year… please stop this practice; it’s dangerous.


Well-chosen password changed every 6 to 12 months is more secure than an easy to guess pattern changed every month.

That is why using an enterprise-level password management application crucial.

One example of such software is PasswordState - http://www.clickstudios.com.au/

It's web-based, well integrating with Active Directory – one could not ask for much more. Look for well-maintained and frequently updated password management systems, evaluate, test – you know-how the process works.

(check it out)

 
 
 

Comments

bottom of page