That moment when cybersecurity depends on a post-it note

Publié :

11/2021

| Mis à jour le

-
Articles
>
Cybersecurity
What security measures should be implemented for password transmission within a company? How can security vulnerabilities be avoided?

Summary

An unfortunately classic scenario

Imagine the scene: a new employee arrives at the company, it's their first day. And the IT department, which is there to give them their work tools (PC, telephone, etc.), gives them their login password... on a piece of paper (I could say "post-it" but apparently we shouldn't mention brands...).

So it may bring a smile: the budget of several tens or even hundreds of thousands of euros spent each year on cybersecurity, on purchases of state-of-the-art firewalls, on pen-testing, on antivirus updates, on monitoring critical system updates... all this is undermined by a password written on a small piece of paper.

Of course, it's not that simple: you obviously manage the security settings correctly on your Active Directory or LDAP infrastructure, so the user will have to change their access code at the first connection. The identifier written on the sticky note is therefore a one-time password, which limits the risk of it being leaked.

Serious consequences in terms of IT risk

Nevertheless, despite the precautions taken, this mode of operation poses 2 problems:

  • The user perceives a dramatic message about the level of security. Even if the risk is low, they find it amusing to be given this password on a small piece of paper. Not knowing the technical details, they will have no qualms about also transmitting passwords via sticky notes simply because "even IT does it".
  • If "someone" (a person from your IT department) has unchecked the "require password change at next login" box on your Active Directory, the entire security chain is at risk: the user will keep their access code written on their sticky note, and since it is complex, it is impossible to remember, so the little pink piece of paper will remain on the user's desk (or rather on their screen because it is easier to read in the morning)...

You can do a quick little study: go in the evening after everyone has left and take a look at the users' desks: I bet you'll find a "paper-password" stuck on one in ten screens.

Rest assured: password transmission solutions exist.

Despite asking every CIO I meet, no one has a “miracle” solution for communicating a password securely. Everyone is looking for IT security solutions for their company, but there is no obvious answer to this problem.

Writing (or printing) an identifier on paper is really not the best way to communicate a password. Some IT services have therefore implemented several strategies:

  • Sending by email: This is problematic because if the employee does not yet have access to their professional email, it must be sent to their personal email. However, on the employee's start date, they either do not have access to their personal email, or they have printed the email containing the information, which brings us back to the sticky note...
  • Sending via SMS: If the user has a personal mobile phone and IT has the number, this is one of the most secure methods for transmitting a password. Obviously, the user must be required to change their password upon first login. This is, for example, the solution we chose at Youzer.
  • The temporary unique password: everyone knows it, it is easily communicated orally and allows the user to connect easily. Again, modification at the first connection is imperative.
  • The password generated based on the user's personal data (date of birth, social security number, etc.). The advantage of this type of password is that its transmission is protected: it is the password generation method that is transmitted and not the password itself. It is therefore necessary to know the user's personal data to "reconstruct" the password (relatively easy but requires a little research).
  • Indirect access code transmission: the pwpush service allows transmitting a code/link allowing access to the actual password with some restrictions: for example, after 2 or 3 views or 48 hours, the password becomes permanently inaccessible.

So, how best to manage this credential communication?

I would like to remind you of the importance of respecting the following principles:

  1. Use the user's mobile phone to communicate the main identifier (the one for logging into email).
  2. Use professional email to communicate the following credentials.
  3. Do not use shared credentials (it seems obvious, but it is always important to specify).

Of course, education, training and awareness are essential, as the end user is the sole guarantor of their credentials. Password security awareness is everyone's business, but it's up to the company to introduce best practices from day one.
What methods do you use to transmit passwords to new employees in your company?
Have you implemented a guide or IT security awareness program?

Besoin d'évaluer le coût d'un projet d'IAM ?

Téléchargez ce livre blanc sur le coût de l'inaction dans l'IAM :

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

Recommended Articles

What is a ghost account and how to detect them on your Active Directory
Self-Service Password Reset: The key to enhanced productivity at work
Manage departures: the hacker is your former user.