Skip to main content

Security vs. Usability - Hitachi ID Password Manager

The human factor is important when formulating password policies and designing authentication processes.

Security is only as good as the practices of the users who implement it. The best technical measures can easily be defeated by users who cannot or will not conform to policy. When confronted by too many passwords, users simply write them down. If passwords are too complex, again users will write them down.

On the other hand, if users are allowed to pick trivial passwords, or to never change their passwords, then they will pick trivial, unchanging passwords. In this case, users will comply with policy, but systems will nonetheless be insecure.

There is a spectrum of security policies that ranges from extremely user friendly but technically insecure on one end, and very difficult to use, but technically secure at the other. For example, a very technically secure policy might require 20-character passwords, changing once a week, consisting of a sequence of randomly generated symbols. Clearly users will not cope well. On the other hand, a very user friendly password policy might allow any dictionary word as a password, and never require passwords to be changed. In this case, systems can be compromised directly, regardless of user compliance with policy.

The best achievable security, where both user behavior and system vulnerabilities are considered, is achieved in the middle of this spectrum. That is, passwords must be sufficiently complex so that intruders cannot readily crack them, but must be simple enough that users will be able to remember them.

Password management automation can help to achieve this balance. In particular, password synchronization, a helpful user interface and plenty of advance warning can help users to manage a single, reasonably secure, regularly changing password that applies to all of their login accounts. Hitachi ID Systems experience in large deployments is that users can readily remember a single, strong, changing passwords, but that they do not cope well with multiple (e.g., 3 or more) passwords, or passwords that change too frequently (e.g., more than once a month).

Read More:

  • Secure Password Management:
    Passwords are only as good as the weakest link in the password management process.
  • Locking down Password Manager:
    Protecting the Password Manager server, its data and its communications against attack.
  • Password Policy Enforcement:
    Password Manager can enforce a global password policy, ensuring that users choose hard-to-guess passwords, never reuse passwords, and change their passwords regularly.
  • Security vs. Usability:
    The human factor is important when formulating password policies and designing authentication processes.
  • Consistent Authentication Processes:
    Social engineering attacks, packet sniffing and other mechanisms can be used to compromise password security without having to directly crack passwords.
  • Delegating Password Reset Privileges:
    Delegating just the right to reset password to help desk staff or managers, without giving them other, unneeded rights.
  • Audit Logs:
    Audit Trails and transaction logs create accountability in security processes.
  • Authentication Options:
    Authentication processes supported by Password Manager for securely logging in users.
page top page top