The password paradox

Password overload is weighing on federal workers, leading government security pros to worry about employees dodging security regulations (they worry about it more than their private-sector counterparts).

In a survey of 150 federal IT and security professionals released Sept. 9, Dell probed the state of attitudes toward security.

“I think it shows that sometimes the heavy-handed approach we take to security is too intrusive,” Paul Christman, vice president of federal at Dell Software, said of the survey results.

Too many passwords

While Christman noted that the “Platonic ideal” of security is a single sign-on, only 3 percent of federal respondents said the typical employee needed one login/password combination to do the job. Dell compared federal survey answers to a separate poll of 310 private-sector security professionals; 9 percent of the private-sector respondents said the typical employee had a single login/password combo.

Wrangling between two and five passwords was a far more common answer, given by 47 percent of federal and 58 percent of private-sector respondents.

But feds apparently face an increasing weight of passwords, with 34 percent of federal respondents saying the typical employee needed between six and 10 passwords (compared with only 16 percent for the private sector) and 3 percent of federal respondents pegging the level at more than 50 passwords (only 1 percent of private-sector respondents made that claim).

Another indication that feds are overburdened by security requirements is demonstrated by the fears of their minders.

Dell asked security pros what their organization’s greatest security risk was, and 32 percent of federal respondents said the greatest risk was employees finding workarounds to duck official security measures.

Only 21 percent of private-sector respondents said the same.

Not everyone should carry that weight

In a recent interview with FCW (prior to Dell’s survey publication), Marc Boroditsky, COO of the strong authentication firm Authy, decried the overreliance on passwords and skewered the idea that people should start lying about security question answers as a defense.

“This is the charade that drives me nuts. We put complexity on top of complexity, and call it security,” Boroditsky said. “Why is it the user’s problem to manage the weakness that is built into these systems?”

Boroditsky called for a “simple and modern” set of solutions that includes two-factor authentication and perhaps a single sign-on combined with deep user behavior analytics to notice anomalous behavior and trigger added security steps when suspicious activity is detected. Boroditsky’s example, for a utility: “This guy always pays his bills between 4 and 6 on weekdays, all of a sudden we’re seeing him at 8 on Sunday?”

Christman echoed Boroditsky’s suggestions, and added that the survey results spoke to a real problem within government and the private sector alike.

“Don’t blame the users for finding a workaround,” Christman said, making the case that good security shouldn’t keep employees from being able to get their jobs done.

Stop saying “passwords,” Christman urged, and start saying “identities.”

When identities, vetted by strong authentication, can be connected at the application level, organizations can lighten the password load on their employees, while maintaining vigorous security standards by tracking a host of useful data: user behavior, location, whether a device is encrypted, whether information is being downloaded or merely viewed.

“All of those things can be used to create a more robust and more appropriate risk assessment,” Christman said.

In the more perfect world envisioned by Boroditsky and Christman, the heaviest security strain is placed squarely on the shoulders of users engaged in the riskiest activities.

For everyone else doing normal, low-risk job activities, the load should lighten.