The Downside of Complex Password Policies

Complex Password and their Effect on Users & Organizations

One of the thorniest issues facing ID and access management personnel is how to effectively manage and comply with the burgeoning, complex world of password standards. Organizational policies are rarely consistent from company to company, and significantly burden users to devise effective ways to manage growing password pools.

For example, my Keeper app on my iPhone currently stores 93 separate passwords (I have 20+ additional websites for which I have passwords, but don’t have them in my Keeper). While I tend to be consistent in creating my passwords (1 Uppercase letter, 1 number and 1 special character), there are numerous sites that don’t support that paradigm; I therefore have up to 25 DIFFERENT passwords in my Keeper.

I have worked with organizations that have a 30-day expiration on passwords; 90- day expiration on passwords; 180-day expiration on passwords; and no expiration on passwords. I know of organizations that require multiple special characters; multiple numbers; multiple capital letters and password lengths of up to 12 characters, all with no character runs or repetitive characters.

With so much information to recall, how can people remember every password? How can workplaces manage password change policies and those for visited sites?

Here are some of the crazy passwords I’ve seen written down:

  • Y3Ll0w$T0N3
  • M1ck3yM0u$3
  • 1H8thi$p1Ac3
  • Kum0nFr1dAy

Then there are security policies that randomly generate passwords such as:

  • Fq4t0-uabn]p]354yu=h
  • 3<M@#^@ijsujf[p_E$#n
  • 236gj9%#$&Uqouc

Good luck trying to remember them!

My favorite story regarded a user workspace that had a folded note next to the hanger that read “stupid password.” The password was there for all to see upon lifting the flap.

Here’s the truth: This chaos reduces rather than increases security. Empiric evidence shows that in any workplace, up to 7.5% of all user workspaces have passwords written down in clear text. These can be found on Post-It notes on monitors, taped to the undersides of keyboards, written on or underneath desk blotters, or on phone bases. These violations of password protection policies exacerbate security people’s jobs every day and create business risk.

The problems are obvious. If 7.5% of the staff is keeping passwords out in the open, there is no security. Even if only 1% of staff is leaving passwords vulnerable, there no security.

How can this be fixed?  Start by ditching passwords! Instead:

  1. Enable multi-factor authentication
    1. Make the mobile device part of the password (smartphone, pad)
  1. Enable biometric password controls
    1. Use FIPS certified scanners
    2. Use biometric smart cards – CCID compliant

Blending these two methods results in a much more secure environment, without many of the associated risks of compromise. Is it an investment? Absolutely. Is it better than the status quo? Totally!

Consider the following:

A biometric smart card can be used for facility access control; for example, enabling building access for Jane Doe from Monday through Friday, 7am to 7pm, with all other access restricted. The same smart card can restrict access at Jane Doe’s workstation, and be set to any hours, depending on Ms. Doe’s responsibilities.

Jane Doe can use her ‘BYOD’ or her company-issued smart phone for multi-factor authentication at her workstation. When she puts her smart card into the CCID- compliant reader while booting up her workstation, the system automatically generates a one-time use token that is sent to her smart phone. Ms. Doe enters those characters into the workstation’s pop-up screen, and she is now fully logged into her workplace systems.

Nothing to remember. Nothing to write down. No issue with expiring passwords or burdensome password controls. Such security is also NIST compliant, and can be PIV-I compliant as well.

Give it a try. It’s time to get rid of cumbersome password controls and begin implementing workable and real security.

To learn more, please contact me at steven.wertheim@sonmax.com.

SureID and Force 5 Partner to Deliver Innovative Vetting and Cost Recovery Offering for Emergency Response Contingent Workforces

Severe weather costs U.S. economy between $18 and $33 billion per year

HILLSBORO, Ore. — April 4, 2017 — 9:00 a.m. PT — SureID, Inc., the market leader in high-assurance identities, announced today a partnership with Force 5, Inc., a leader in compliance-based solutions for the bulk electric power industry. The offering addresses important contingent workforce challenges in a natural disaster emergency response including safety, security, regulatory requirements and cost recovery, ultimately resulting in savings for the utility ratepayer.

The unique and innovative offering combines SureID’s identity assurance technologies with Force 5’s Gatekeeper enForce solution, enabling electric utility companies to securely vet and manage the contingent emergency worker pool between multiple companies. The offering takes advantage of SureID’s nationwide network of SureID registration stations, mobile credentials and advanced cloud-based identity management portal along with a seamless integration to Force 5’s Gatekeeper enForce system for tracking emergency response labor efforts for safety, security and cost recovery.

According to a Grid Resiliency Report, severe weather is the number one cause of power outages in the U.S., costing billions of dollars annually in lost output and wages, spoiled inventory, delayed production and grid infrastructure damages. Weather-related utility outages cost the U.S. economy between $18 and $33 billion per year.1

SureID’s proven identity solution fortifies the existing Force 5 solution by enabling registration of contingent emergency workers from other utilities, in addition to the existing management of workers’ identity and access. The solution enables Force 5 to quickly and securely mobilize contingent emergency workers by activating an identity attribute associated with emergency response on the worker’s SureID-issued credential.  With Force 5’s Gatekeeper Mobile solution, the accounting for workers’ time, cost and billing to other parties can be more efficiently and accurately tracked and reimbursed by the Federal Emergency Management Agency (FEMA). Force 5’s Gatekeeper enForce solution also will provide utilities the management, tracking and validation of contingent worker certifications and secured entry validation at restoration staging sites when combined with Force 5’s secure point-of-entry mobile units.

“Natural disasters and the ensuing widespread power outages create significant economic impacts on a local and national scale, which requires utilities across service territories to pitch in to get the lights back on. We’re thrilled to partner with Force 5 to build our trusted identity solution into emergency response and power restoration efforts for tracking, accounting and cost recovery purposes,” said Steve Larson, CEO and founder, SureID. “Our 15 years of experience working with the U.S. Department of Defense continues to open doors in critical infrastructure markets. There is significant value in pairing our technology with Force 5 to more effectively account for emergency response workers.”

“We are excited to integrate with SureID’s nationwide registration network to help improve how organizations track who is activated for emergency response,” said James Evelyn, general manager of security and compliance, Force 5. “Pairing Force 5’s Gatekeeper enForce system with SureID’s technology streamlines both the time-sensitive onboarding of emergency response workforces and the capture of cost recovery detail. An additional benefit is all SureID-credentialed workforces can now be seamlessly on-boarded to Gatekeeper enForce’s OSHA Outage Management and NERC/CIP Compliance modules.”

To learn more about the partnership, please contact info@sureid.com.

About SureID, Inc.

SureID, Inc. (www.SureID.com) is the market leader in high-assurance identity solutions. The company creates end-to-end trusted identity programs offering full credential lifecycle management through the combination of registration, identity proofing, background screening, credentialing and identity authentication for government, private enterprise and individuals including contractors, vendors and other authorized personnel. SureID’s RAPIDGate® program provides an enterprise-wide, single-credential high-assurance identity for the U.S. Navy, Marine Corps, Coast Guard, Army and critical infrastructure sectors across the country. SureID is the leading commercial issuer of PIV-I credentials. The SureID Certified™ solution is a high-assurance digital identity certification offered to individuals. The SureID Certified Edge™ solution includes identity proofing, recurring background screenings and credentialing for third-party vendors, contractors and suppliers, volunteers, coaches, consumers, and other individuals. Founded in November 2001, SureID is headquartered in Hillsboro, Ore., with offices in Minot, N.D., and Alexandria, Va.

About Force 5, Inc.

Founded in 2000, Force 5 has had a single company focus – solving customers’ business problems with proven technology solutions. Force 5 is a minority- and woman-owned business based in Miami, Florida. Force 5 has architected and delivered complex mission critical solutions to utilities, enterprises and government organizations. The entire team at Force 5 is committed to providing world-class service to our customers.

The Gatekeeper enForce was developed for and with a major electric utility based in the United Sates. It was based on specifications to meet the visitor tracking section of NERC’s Critical Infrastructure Protection (CIP) compliance requirements along with specifications for Outage Management providing Positive Point of Entry Control, Tracking of Safety and other Certifications required by OSHA and support of mustering events/roll calls. Gatekeeper enForce is a single integrated multi-purpose platform to provide a technical state-of-the-art solution to mitigate risk and provide a more secure, safe and efficient work place. Gatekeeper enforce has been time tested, is CIP Audit proven and is deployed in the largest power utilities in the United States.

CIOReview rated Force 5 as one of the 20 most promising compliance solution providers in 2016.  For more info, visit: www.force5solutions.com.

SureID, Inc. Names Former TSA Official Justin P. Oberman as Vice President of Identity Strategy

Oberman to speak at ISC West 2017 on protecting against outsiders on the inside

HILLSBORO, Ore. — April 4, 2017 — SureID, Inc., the market leader in high-assurance identities, is proud to announce its latest executive hire, Justin P. Oberman. Oberman joins SureID as vice president of identity strategy.

Justin Oberman – VP Identity Strategy

Oberman brings decades of experience in identity security, including as one of the first employees and earliest leaders at the Transportation Security Administration (TSA) following 9/11, where he served as the first Assistant Administrator for Transportation Threat Assessment and Credentialing. At SureID, Oberman will focus on leading industry discourse on identity assurance with a focus on enterprise accounts, the digital economy and other emerging markets. Oberman also will drive the adoption of SureID’s newest identity technologies, including the SureID Certified™ and SureID Certified Edge™ solutions.

“Justin’s unique leadership role at TSA and his deep understanding of today’s security requirements further strengthen our leadership in identity assurance,” said Steve Larson, CEO and founder of SureID.

Beginning in 2001 as an advisor to then-Secretary of Transportation Norman Y. Mineta, and later as an executive at TSA, Oberman played a lead role in developing and standing up background check and credentialing programs covering TSA employees, workers in all modes of transportation and domestic airline passengers. Oberman’s work included close collaboration with industry, organized labor, privacy groups, and intelligence and law enforcement agencies.

Oberman later worked at L-1 Identity Solutions and as a consultant to more than a dozen companies in the aviation and aerospace industries. He has also helped several startup companies in the security, transportation and supply chain management sectors.

”I joined SureID because the value the company has created for our military and its vendors and contractors is impressive and translates well to the needs of commercial, consumer and nonprofit sectors,” said Oberman. “Identity assurance is increasingly critical, as are security and privacy. SureID’s comprehensive offering is best-positioned to serve customers and I’m proud to support its mission.”

Oberman will speak at the 2017 International Security Conference & Exposition (ISC West) in Las Vegas.  His presentation, on Thursday, April 6, 2017 from 3:00 – 5:00 p.m. in Sands 101 and 102, is titled, “Giving Insiders Access: Make Sure Front and Back Doors are Locked.”

About SureID, Inc.

SureID, Inc. (www.SureID.com) is the market leader in high-assurance identity solutions. The company creates end-to-end trusted identity programs offering full credential lifecycle management through the combination of registration, identity proofing, background screening, credentialing and identity authentication for government, private enterprise and individuals including contractors, vendors and other authorized personnel. SureID’s RAPIDGate® program provides an enterprise-wide, single-credential high-assurance identity for the U.S. Navy, Marine Corps, Coast Guard, Army and critical infrastructure sectors across the country. SureID is the leading commercial issuer of PIV-I credentials. The SureID Certified™ solution is a high-assurance digital identity certification offered to individuals. The SureID Certified Edge™ solution includes identity proofing, recurring background screenings and credentialing for third-party vendors, contractors and suppliers, volunteers, coaches, consumers, and other individuals. Founded in November 2001, SureID is headquartered in Hillsboro, Ore., with offices in Minot, N.D., and Alexandria, Va.