Serviceteam IT Security News

We’re all busy people. Business demands are constant, and information overload is a daily challenge. Most of us don’t come to work to ‘do security’ – it’s a supporting function. It’s something we have to get through in order to get to our main task.

And this is fine. Most of us aren’t hired to do security – we’re hired to do jobs that help meet our employer’s business goals.

But due to these competing demands and priorities, we have limited mental effort to spend on security. This is sometimes called The Compliance Budget and like any budget, once spent it’s gone – we can’t use it again elsewhere. As security professionals we should be mindful of this budget, avoid squandering it in places where it doesn’t buy real value, and not expect user effort to be able to compensate for other gaps in our defences.

Pouring user effort into managing and memorising difficult passwords is a common use of the compliance budget, and it’s (mostly) a huge waste of this precious resource. Users generally find such policies impossible to comply with; they provide no particular defence against many common password attacks, and there is a real limit on how much protection user passwords can give to a system. Because most times, if your user passwords can be directly attacked, then you’ve got bigger problems.

For instance, if an attacker is able to get hold of your password hash file and run offline brute force attacks against it…you’ve got bigger problems.

If an attacker is able to attempt thousands of logins without prevention or detection, because you have no account lockout/throttling or monitoring in place…you’ve got bigger problems.

If an attacker compromises a user account, gains a foothold in the system and installs back-doors that give sustained and undetected access even after the password is changed…you’ve got bigger problems.

User passwords are only one of many ways in which we defend our systems. They can’t compensate for all vulnerabilities elsewhere, so we shouldn’t rely on them further than is justified. Research shows that there is no correlation between the best-defended systems and those with the most demanding password policies. If anything, the opposite is true.

The same applies with password expiry. There are very few imaginable scenarios where regular password expiry would provide any real security protection, and regular password-changing makes no difference to the success of most attacks. But it does impose a heavy burden on users, causing corresponding harm to the organisation’s overall security. Because of the innate attraction of the idea that a newer password must be a better password, and because we have been slow to realise the huge costs imposed by password expiry policies, we have hung on to them long past the time when we should have – well, expired them.

Organisations should stop regularly expiring user passwords for the sake of it and focus instead on more meaningful, effective protective measures. This includes minimising password use and ensuring that where they do remain necessary, they are used sensibly.

Source: National Cyber Security Centre

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!