An unfortunately classic scenario
Imagine the scene: a new employee arrives at the company on his or her first day. And the IT department who is there to give him his work tools (PC, phone...) gives him his login password... on a piece of paper (I could say "post-it", but they say you shouldn't name brands...).
So it's easy to smile: the budget of tens, even hundreds of thousands of euros spent every year on cybersecurity, on the latest firewalls, pen-testing, antivirus updates, monitoring critical system updates... all weakened by a password written on a piece of paper.
Of course, it's not as simple as that: you obviously manage the security settings on your Active Directory or LDAP infrastructure correctly, so the user will have to change his access code the first time he logs on. The identifier on the post-it note is therefore a one-time use password, which limits the risk of it being leaked.
Serious consequences in terms of IT risk
However, despite the precautions taken, this mode of operation poses 2 problems:
- The user gets a dramatic message about the level of security. Even if the risk is low, it gives him a good laugh to be given this password on a small piece of paper. Not knowing the technical finer points, he'll have no qualms about passing on passwords on post-it notes, simply because "even IT does it".
- If "someone" (someone in your IT department) has unchecked the "require password change on next login" box on your Active Directory, the whole security chain is at risk: the user will keep his access code written on his post it, and since it's complex, it's impossible to remember, so the little piece of pink paper will remain on the user's desk (or rather on his screen, because it's easier to read in the morning)...
We can do a quick study: drop by in the evening after everyone's gone, and take a look at the users' desks: I bet you'll find a "paper-password" stuck on every tenth screen.
Rest assured: password transmission solutions exist
No matter how many CIOs I ask, no one has a "miracle" solution for communicating passwords securely. Everyone is looking for IT security solutions for their company, but there's no obvious answer to this problem.
Writing (or printing) a user ID on paper is hardly the best way to communicate a password. Some IT departments have therefore implemented several strategies:
- Sending by e-mail: the problem is that, as the employee doesn't yet have access to his work e-mail account, you have to send it to his personal e-mail account. But on the day the employee arrives, either he doesn't have access to his personal mailbox, or he has printed out the e-mail containing the message, so back to the post-it...
- Sending by SMS: if the user has a personal cell phone and IT has the number, this is one of the most secure methods of transmitting a password. Obviously, the user must be obliged to change his or her password the first time he or she logs on. This is, for example, the solution we have chosen at Youzer.
- The unique temporary password: everyone knows it, it can be easily communicated verbally and it allows the user to log in easily. Here again, it's imperative to change it the first time you log on.
- A password generated on the basis of the user's personal data (date of birth, social security number, etc.). The advantage of this type of password is that its transmission is protected: it's the way the password is generated that is transmitted, not the password itself, so you need to know the user's personal data to "reconstitute" the password (relatively easy, but requires a little research).
- Transmission of an indirect access code: the pwpush service allows you to transmit a code/link that gives access to the actual password, with a few restrictions: for example, after 2 or 3 visualizations or 48 hours, the password becomes definitively inaccessible.
Would you like to receive our white paper on identity and access management?
So how best to manage this communication of identifiers?
I remind you of the importance of respecting the following principles:
- Use the user's cell phone to communicate the main login (the one used to connect to the messaging system).
- Use the professional messaging system to communicate the following identifiers.
- Do not use shared logins (sounds obvious, but it's always important to make it clear).
And of course, we need to educate, train and raise awareness... because it's the end user who is the guarantor of his or her own credentials. Raising awareness of password security is everyone's business, but it's up to the company to introduce good practices, and to do so from day one.
How do you pass on pass words to newcomers to your company?
Have you set up an IT security guide or awareness program?