Sadly a classic scenario
Sadly a classic scenario
Imagine the scene: a new employee arrives at the company, it’s his first day. And the IT department which is there to give him his working tools (pc, telephone, etc.) gives him his login password… on a piece of paper (I could say “post-it” but it seems that ‘brands should not be mentioned…).
So it can make you smile: the budget of several tens or even hundreds of thousands of euros devoted each year to cybersecurity, in purchasing state-of-the-art firewalls, in pen-testing, in antivirus update, in monitoring updates critical days of systems … all of this weakened by a password written on a small piece of paper.
It is not that simple: you manage the security settings correctly on your Active Directory or LDAP infrastructure, so the user will have to change his access code for the first connection, the identifier entered on the post-it is, therefore, a one-time password, which limits the risk of it leaking.
Heavy consequences in terms of IT risk
Nevertheless, despite the precautions taken, this mode of operation poses 2 problems:
- The user perceives a dramatic message about the level of security. Even if the risk is low, it makes him laugh to be given this password on a small piece of paper. Not knowing the technicalities, he will have no qualms about sending passwords by post-it simply because “even IT does it”.
- If ever “someone” (a person from your IT department) unchecked the box “require password change at next login” on your Active Directory, the whole security chain is in danger: the user will keep his access code written on his post-it, and as it is complex, it is impossible to remember so the little pink piece of paper will remain on the user’s desktop (or rather on his screen because it is easier to read in the morning)
You can do a quick study: spend the evening after everyone leaves and take a look at the users’ desktops: I bet you find a “password paper” stuck on one screen out of ten.
You can rest assured: password transmission solutions exist
No matter how many I ask every IT management I meet, no one has a “miracle” solution for communicating a password securely. Everyone is looking for IT security solutions for their company but there is no obvious answer to this problem.
Writing (or printing) a login on paper is obviously not the best way to communicate a password. Some IT departments have therefore implemented several strategies:
- Sending by e-mail: problem, as the employee does not yet have access to his professional mailbox, it is necessary to send it to his personal mailbox. But on the day the employee arrives, either he does not have access to his personal mailbox, or he has printed the mail containing the mail, so back to the post-it .
- Sending by SMS: if the user has a personal mobile phone and the IT has the number, this is one of the most secure methods of transmitting a password. Of course, the user must be obliged to change his password the first time he logs on. This is, for example, the solution we chose at Youzer.
- The temporary one-time password: everyone knows it, it can be easily communicated orally and it allows the user to log in easily. Here again, the modification at the first connection is imperative.
- The password generated on the basis of the user’s personal data (date of birth, social security number…). The advantage of this type of password is that its transmission is protected: it is the mode of generation of the password that is transmitted and not the password itself, it is therefore necessary to know the user’s personal data to “reconstitute” the password (relatively easy but requires a little research work).
- The transmission of an indirect access code: the pwpush service thus makes it possible to transmit a code/link which itself allows access to the real password with some restrictions: for example after 2 or 3 views or 48 hours, the password becomes definitively inaccessible.
So, how best to manage this communication of identifiers?
I reiterate the importance of respecting the following principles:
- Use the user’s mobile phone to communicate the main identifier (the one to connect to the messaging system).
- Use professional messaging to communicate the following identifiers.
- Don’t use shared identifiers (it seems obvious but it’s always important to specify it).
And of course, we must educate, train, raise awareness… because it is the end user who is the sole guarantor of his identifiers. Password security awareness is also everyone’s business, but it is up to the company to introduce good practices from day one.
And you, what are your methods of transmitting passwords to newcomers to your company?
Have you put in place a guide or awareness of computer security?