The Downside of Complex Password Policies

Complex Password and their Effect on Users & Organizations

One of the thorniest issues facing ID and access management personnel is how to effectively manage and comply with the burgeoning, complex world of password standards. Organizational policies are rarely consistent from company to company, and significantly burden users to devise effective ways to manage growing password pools.

For example, my Keeper app on my iPhone currently stores 93 separate passwords (I have 20+ additional websites for which I have passwords, but don’t have them in my Keeper). While I tend to be consistent in creating my passwords (1 Uppercase letter, 1 number and 1 special character), there are numerous sites that don’t support that paradigm; I therefore have up to 25 DIFFERENT passwords in my Keeper.

I have worked with organizations that have a 30-day expiration on passwords; 90- day expiration on passwords; 180-day expiration on passwords; and no expiration on passwords. I know of organizations that require multiple special characters; multiple numbers; multiple capital letters and password lengths of up to 12 characters, all with no character runs or repetitive characters.

With so much information to recall, how can people remember every password? How can workplaces manage password change policies and those for visited sites?

Here are some of the crazy passwords I’ve seen written down:

  • Y3Ll0w$T0N3
  • M1ck3yM0u$3
  • 1H8thi$p1Ac3
  • Kum0nFr1dAy

Then there are security policies that randomly generate passwords such as:

  • Fq4t0-uabn]p]354yu=h
  • 3<M@#^@ijsujf[p_E$#n
  • 236gj9%#$&Uqouc

Good luck trying to remember them!

My favorite story regarded a user workspace that had a folded note next to the hanger that read “stupid password.” The password was there for all to see upon lifting the flap.

Here’s the truth: This chaos reduces rather than increases security. Empiric evidence shows that in any workplace, up to 7.5% of all user workspaces have passwords written down in clear text. These can be found on Post-It notes on monitors, taped to the undersides of keyboards, written on or underneath desk blotters, or on phone bases. These violations of password protection policies exacerbate security people’s jobs every day and create business risk.

The problems are obvious. If 7.5% of the staff is keeping passwords out in the open, there is no security. Even if only 1% of staff is leaving passwords vulnerable, there no security.

How can this be fixed?  Start by ditching passwords! Instead:

  1. Enable multi-factor authentication
    1. Make the mobile device part of the password (smartphone, pad)
  1. Enable biometric password controls
    1. Use FIPS certified scanners
    2. Use biometric smart cards – CCID compliant

Blending these two methods results in a much more secure environment, without many of the associated risks of compromise. Is it an investment? Absolutely. Is it better than the status quo? Totally!

Consider the following:

A biometric smart card can be used for facility access control; for example, enabling building access for Jane Doe from Monday through Friday, 7am to 7pm, with all other access restricted. The same smart card can restrict access at Jane Doe’s workstation, and be set to any hours, depending on Ms. Doe’s responsibilities.

Jane Doe can use her ‘BYOD’ or her company-issued smart phone for multi-factor authentication at her workstation. When she puts her smart card into the CCID- compliant reader while booting up her workstation, the system automatically generates a one-time use token that is sent to her smart phone. Ms. Doe enters those characters into the workstation’s pop-up screen, and she is now fully logged into her workplace systems.

Nothing to remember. Nothing to write down. No issue with expiring passwords or burdensome password controls. Such security is also NIST compliant, and can be PIV-I compliant as well.

Give it a try. It’s time to get rid of cumbersome password controls and begin implementing workable and real security.

To learn more, please contact me at steven.wertheim@sonmax.com.

SureID, Inc. Files Bid Protest Against U.S. Government’s Decision to In-Source Vendor Credentialing and Access Control Services to Navy Bases

Filing Triggers Automatic “Stay”

Hillsboro, Ore. — April 19, 2017 — SureID, Inc., the leading commercial provider of credentialing and access control services for vendor access to military bases, yesterday filed a bid protest with the U.S. Government Accountability Office (GAO) challenging the U.S. Government’s decision to “in-source” vendor credentialing and access control services to the Navy.

An automatic stay took effect at approximately 4:30 p.m. EST on 18 April 2017.

SureID, headquartered in Hillsboro, Oregon, has been providing its RAPIDGate® services to the Navy since 2006. As of the time the Government announced its in-sourcing decision on 12 April 2017, SureID was managing more than 170,000 active RAPIDGate credential holders at 66 Navy bases across the Continental United States, Hawaii and Guam.

SureID predicates its protest on the basis that the Government’s decision to in-source services violates applicable procurement statutes and regulations that require the Government to promote competition.

Further, SureID asserts in its protest that the Government’s in-sourcing decision was unreasonable in light of commercially available solutions that meet the Government’s needs. Indeed, the Government acknowledged its decision was “in no way a reflection on SureID.”

GAO typically resolves protests within one hundred days.

About the RAPIDGate Program
The RAPIDGate program is an end-to-end high-assurance identity management solution. The program manages the identities and installation-specific access privileges of tens of thousands of program credential holders for access to military installations throughout the nation. RAPIDGate program participants can, with one credential, access any installation where the program is implemented so long as the company they represent has been sponsored by the installation or a tenant command, and is approved by the installation commanding officer. The RAPIDGate program is further enhanced by SureID’s complementary solution, the RAPID-RCx® program, which allow security personnel to scan driver’s licenses, CAC cards, Teslins, and TWICs.

About SureID, Inc.
SureID, Inc. (www.SureID.com) is the market leader in high-assurance identity solutions. The company creates end-to-end trusted identity programs offering full credential lifecycle management through the combination of registration, identity proofing, background screening, credentialing and identity authentication for government, private enterprise and individuals including contractors, vendors and other authorized personnel. SureID’s RAPIDGate® program provides an enterprise-wide, single-credential high assurance identity for the U.S. Navy, Marine Corps, Coast Guard and Army and the critical infrastructure sector across the country. SureID, Inc. is the leading commercial issuer of PIV-I credentials. Founded in November 2001, SureID is headquartered in Hillsboro, Ore., with offices in Minot, N.D., and Alexandria, Va.

SureID and Force 5 Partner to Deliver Innovative Vetting and Cost Recovery Offering for Emergency Response Contingent Workforces

Severe weather costs U.S. economy between $18 and $33 billion per year

HILLSBORO, Ore. — April 4, 2017 — 9:00 a.m. PT — SureID, Inc., the market leader in high-assurance identities, announced today a partnership with Force 5, Inc., a leader in compliance-based solutions for the bulk electric power industry. The offering addresses important contingent workforce challenges in a natural disaster emergency response including safety, security, regulatory requirements and cost recovery, ultimately resulting in savings for the utility ratepayer.

The unique and innovative offering combines SureID’s identity assurance technologies with Force 5’s Gatekeeper enForce solution, enabling electric utility companies to securely vet and manage the contingent emergency worker pool between multiple companies. The offering takes advantage of SureID’s nationwide network of SureID registration stations, mobile credentials and advanced cloud-based identity management portal along with a seamless integration to Force 5’s Gatekeeper enForce system for tracking emergency response labor efforts for safety, security and cost recovery.

According to a Grid Resiliency Report, severe weather is the number one cause of power outages in the U.S., costing billions of dollars annually in lost output and wages, spoiled inventory, delayed production and grid infrastructure damages. Weather-related utility outages cost the U.S. economy between $18 and $33 billion per year.1

SureID’s proven identity solution fortifies the existing Force 5 solution by enabling registration of contingent emergency workers from other utilities, in addition to the existing management of workers’ identity and access. The solution enables Force 5 to quickly and securely mobilize contingent emergency workers by activating an identity attribute associated with emergency response on the worker’s SureID-issued credential.  With Force 5’s Gatekeeper Mobile solution, the accounting for workers’ time, cost and billing to other parties can be more efficiently and accurately tracked and reimbursed by the Federal Emergency Management Agency (FEMA). Force 5’s Gatekeeper enForce solution also will provide utilities the management, tracking and validation of contingent worker certifications and secured entry validation at restoration staging sites when combined with Force 5’s secure point-of-entry mobile units.

“Natural disasters and the ensuing widespread power outages create significant economic impacts on a local and national scale, which requires utilities across service territories to pitch in to get the lights back on. We’re thrilled to partner with Force 5 to build our trusted identity solution into emergency response and power restoration efforts for tracking, accounting and cost recovery purposes,” said Steve Larson, CEO and founder, SureID. “Our 15 years of experience working with the U.S. Department of Defense continues to open doors in critical infrastructure markets. There is significant value in pairing our technology with Force 5 to more effectively account for emergency response workers.”

“We are excited to integrate with SureID’s nationwide registration network to help improve how organizations track who is activated for emergency response,” said James Evelyn, general manager of security and compliance, Force 5. “Pairing Force 5’s Gatekeeper enForce system with SureID’s technology streamlines both the time-sensitive onboarding of emergency response workforces and the capture of cost recovery detail. An additional benefit is all SureID-credentialed workforces can now be seamlessly on-boarded to Gatekeeper enForce’s OSHA Outage Management and NERC/CIP Compliance modules.”

To learn more about the partnership, please contact info@sureid.com.

About SureID, Inc.

SureID, Inc. (www.SureID.com) is the market leader in high-assurance identity solutions. The company creates end-to-end trusted identity programs offering full credential lifecycle management through the combination of registration, identity proofing, background screening, credentialing and identity authentication for government, private enterprise and individuals including contractors, vendors and other authorized personnel. SureID’s RAPIDGate® program provides an enterprise-wide, single-credential high-assurance identity for the U.S. Navy, Marine Corps, Coast Guard, Army and critical infrastructure sectors across the country. SureID is the leading commercial issuer of PIV-I credentials. The SureID Certified™ solution is a high-assurance digital identity certification offered to individuals. The SureID Certified Edge™ solution includes identity proofing, recurring background screenings and credentialing for third-party vendors, contractors and suppliers, volunteers, coaches, consumers, and other individuals. Founded in November 2001, SureID is headquartered in Hillsboro, Ore., with offices in Minot, N.D., and Alexandria, Va.

About Force 5, Inc.

Founded in 2000, Force 5 has had a single company focus – solving customers’ business problems with proven technology solutions. Force 5 is a minority- and woman-owned business based in Miami, Florida. Force 5 has architected and delivered complex mission critical solutions to utilities, enterprises and government organizations. The entire team at Force 5 is committed to providing world-class service to our customers.

The Gatekeeper enForce was developed for and with a major electric utility based in the United Sates. It was based on specifications to meet the visitor tracking section of NERC’s Critical Infrastructure Protection (CIP) compliance requirements along with specifications for Outage Management providing Positive Point of Entry Control, Tracking of Safety and other Certifications required by OSHA and support of mustering events/roll calls. Gatekeeper enForce is a single integrated multi-purpose platform to provide a technical state-of-the-art solution to mitigate risk and provide a more secure, safe and efficient work place. Gatekeeper enforce has been time tested, is CIP Audit proven and is deployed in the largest power utilities in the United States.

CIOReview rated Force 5 as one of the 20 most promising compliance solution providers in 2016.  For more info, visit: www.force5solutions.com.