The first line of defense

In the first post we introduced this series and the concept of shared responsibility for security. Passwords are fundamental, and are like the keys to your house. Hand over the keys, and you’ve handed over your house and everything inside it. When securing your instance, the first line of defense is strong password security, but this topic is often overlooked or taken for granted.

The traditional advice on choosing passwords is now considered to be wrong and outdated. Your users may not know what makes a ‘good’ password, or how important it is to keep it safe, and this can lead to security failures.

So, what is the best practice for password security?

Unlearn what you have learned

The official recommendations have changed. Previously, we were encouraged to choose relatively short, complex passwords and to change them frequently, but current thinking says we should choose longer passphrases and only change them if there is reason to believe they’ve been compromised.

It turns out that we have been selecting passwords that are difficult for us to remember, but easy for computers to guess. This illustration from XKCD explains why:

To add to this, because of a lack of training and the burden of having to remember so many sets of credentials, many people are still using very simple and well known passwords. Lists of these common passwords can be easily found on the internet, and attackers use them to try and break into online services, in what is known as a Password Spray Attack.

Boosting your defenses

Though these attacks are often successful, the good news is that they are easy to deflect by implementing a few simple measures.

• Help your users - Inform users of the new guidance and how to choose good passphrases. This can be enforced by adjusting the password policy on your ServiceNow instance and any third party authentication systems that you use.

• Use unique passwords - Users should not use the same passwords across different services. This is because attackers often use credentials stolen from an attack on one system to log into another, a method called Credential Stuffing.

• Consider using a password management tool - Some organizations employ a commercially available password management tool to help users handle their many different sets of credentials. This simplifies things because users only need to remember a single, strong passphrase which they can ensure is kept secure.

• Do not share credentials - Credentials should not be shared under any circumstances. If multiple people use the same login, you can’t be sure how many people know the password, or who performed a particular action. This may also encourage undesirable practices or misuse of the service. Always use unique accounts for individual users, so you know who has logged in and can trace any actions they performed. This ensures accountability.

• Configure account lockout - It is good practice to configure account lockout on your instance to prevent multiple successive login attempts. This can thwart attackers’ attempts to gain access to an account by restricting the number of password guesses allowed.

• Delete unused accounts - Unused accounts can also present a risk. You should include account deletion in your off-boarding procedures and conduct regular reviews to remove any unnecessary accounts.

In the next post…

Now we have covered the basics of password and account security, we can consider what else you can do to make authentication more robust. In the next post, we will look at ways to enhance security even further by using multi-factor and IP address authentication.