1 / 35

WEBINAR Passwords: The Good, The Bad, And The Ugly

Join Forrester security analyst Merritt Maxim as he reviews key findings on password policies and offers practical guidance for password management.

twilaj
Download Presentation

WEBINAR Passwords: The Good, The Bad, And The Ugly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WEBINARPasswords: The Good, The Bad, And The Ugly Merritt Maxim, Senior Analyst July 16, 2015. Call in at 12:55 p.m. Eastern time

  2. Webinar abstract To paraphrase the great humorist Mark Twain, rumors of the death of passwords have been greatly exaggerated. While people lament the challenges and problems posed by passwords, they remain a core authentication and security technology. This spring, Forrester completed a quantitative end-user survey to gauge organizations’ current password policies and usage, including their current challenges. The survey also provided perspectives on the future of passwords and how other technologies might replace passwords completely. In this webinar, Forrester security and risk analyst Merritt Maxim reviews the survey’s key findings and offers practical guidance and recommendations for password management that security and risk professionals can utilize to keep administrative costs and risks in check.

  3. Webinar abstract (cont.) Key takeaways: Gain perspective on key password trends and how they apply to your own organization. Learn how to plan an appropriate security strategy for your own organization to address these trends.

  4. Agenda • Background • Key takeaways • Passwords: the good • Passwords: the bad • Passwords: the ugly • Recommendations • Q&A

  5. As long as there are passwords, there will be breaches

  6. Train control center passwords revealed on BBC TV

  7. What’s the problem with passwords? Are passwords dead? What’s next? Passwords seem cheap, but they are: Fatigued. Shoulder-surfed. Decryptable. Breached.

  8. Passwords affect user experience • Get email notification that your password was breached. • Reset to a more complex password. • Use the password. • Hackers compromise the website. • Hackers steal passwords. • Go to No. 1.

  9. Authentication is a difficult balance Operationalefficiency Asset security Customersatisfaction

  10. Key takeaways: Forrester Employee Password Survey Employers have converged on a common password structure. Passwords are still a major internal cost and drain on employee productivity. Single enterprisewide password policies are elusive. Cloud security concerns are not influencing password policies.

  11. Passwords: the good

  12. Organizations have aligned on common password anatomy for employees Source: Forrester Password Usage And Trends Survey, 2015

  13. Organizations have standard policies for employee password length and format Source: Forrester Password Usage And Trends Survey, 2015

  14. Organizations are using two-factor authentication (2FA) Source: Forrester Password Usage And Trends Survey, 2015

  15. Employers are leveraging employee-specific data for account lockouts Source: Forrester Password Usage And Trends Survey, 2015

  16. Employers are raising awareness about password issues “Do you conduct social engineering experiments to test users’ security awareness and willingness to disclose passwords, including required annual security policy and password education training?” Source: Forrester Password Usage And Trends Survey, 2015

  17. Passwords: the bad

  18. Organizations have many different password policies Source: Forrester Password Usage And Trends Survey, 2015

  19. Password resets cost approximately $168 per employee per year Source: Forrester Password Usage And Trends Survey, 2015

  20. Passwords: the ugly

  21. Concerns about cloud security have not influenced SaaS passwords Source: Forrester Password Usage And Trends Survey, 2015

  22. Contractors and nonemployees have the same password policies as employees Source: Forrester Password Usage And Trends Survey, 2015

  23. Password policies often require exceptions “Do you allow exceptions to your official password policy?” Source: Forrester Password Usage And Trends Survey, 2015

  24. Real-world sample of password resets LARGE US PUBLIC UNIVERSITY 300,000-plus accounts 7,900-plus users/month doing password resets* 48% cannot reset. 52% reset via self-service. 25% call help desk. 75% reset via KBA. *Organization does not have a formal password expiration policy.

  25. Other password issues *Taken from Research at Google Knowledge-based authentication (KBA) for resetting is imperfect and a threat vector. Google survey: 37% of respondents admitted to providing fake answers.* 40% of users were unable to recall their answers as part of the account recovery process. “IRS Get Transcript Breach” Spring 2015 Hackers have successfully completed verification questions to file bogus tax returns.

  26. Forrester’s recommendations Risk assessments should drive password policies. Implement stronger passwords for nonemployees. Deploy IAM solutions to alleviate password costs and realize a compelling ROI. Apply lessons from consumer passwords to improve the employee experience. Implement an official password exceptions management process.

  27. Passwords are still here: what to do about it Embrace password co-existence for the next three or more years. Strive for password replacement via SAML and two-factor authentication. SAML for Web and SaaS apps reduces password usage and simplifies user experience. Two-factor authentication is a viable alternative for replacing passwords to select systems with a wide range of form factors available (e.g., smartphone, desktop, and standalone token). A large and vibrant vendor ecosystem exists to provide SAML SSO and 2FA solutions. Strategize about a password-free future now.

  28. What about biometrics? Cons: Enrollment process Not entirely deterministic Server-side database needs to be encrypted. Pros: Solves the out-of-band problem Mobile devices’ camera and microphone are a given. In combination with one another and context, they can replace passwords. Server- and client-side are both viable.

  29. Selected Forrester Research “The Forrester Wave™: B2E Cloud IAM, Q2 2015” “Top 11 Trends S&R Pros Should Watch: 2015” Upcoming “The State Of Employee Passwords: The Good, The Bad, And The Ugly, Part 1” Upcoming “The State Of Employee Passwords: The Good, The Bad, And The Ugly, Part 2”

  30. Selected Forrester Research (cont.) “Develop Identity And Access Management Metrics For Employee And Customer Processes” “Know Your Adversary” “Quick Take: Fifteen Lessons For Security & Risk Pros From The IRS Get Transcript Breach”

  31. Security and risk analyst team Andras Cser Vice President, Principal Analyst Stephanie Balaouras Vice President, Research Director Christopher McClean Vice President, Research Director Merritt Maxim Senior Analyst Nick HayesAnalyst Rick Holland Principal Analyst

  32. Security and risk analyst team (cont.) Renee Murphy Senior Analyst John Kindervag Vice President, Principal Analyst Martin WhitworthSenior Analyst Chris Sherman Analyst Heidi Shey Analyst Tyler Shields Principal Analyst

  33. Merritt Maxim mmaxim@forrester.com Twitter: @merrittmaxim

More Related