Password, Account and Profile Management

In this article, we are going to analyse password management techniques for safer passwords. Moreover, we are going to analyse Password management, Account management and Profile management.

Passwords are everywhere and usually not taken very seriously by end-users.  The amount of times I come across a user who’s more than willing to share with me their password is incredible. Even worse still it’s usually something like the companies name followed by “this months number”. 

I’m sure this isn’t a story that’s new to anyone. But it does highlight why it is so important that passwords get managed well.

Keep your Password Secured

Passwords can be broken over time.

Therefore, one of the first things to consider is a rule that forces users to periodically change their password.  The more sensitive a system the more frequently you should change it. The longer the password history should be to stop users from reusing old passwords.

Equally, the more you force a user to change their password the more support calls you are going to get when they lock themselves out, forget their new password, or when it expires and they don’t change it in time.  It is possible to get self-service portals that allow users to reset their own passwords by taking advantage of pre-saved information about mobile phone numbers or email addresses etc.

Account Management vs Password Management

Passwords are just one method, granted a popular one, of authenticating against a particular user account. Password management should not be confused with Account Management. Account management is the process by which you create, delete or modify user accounts.  This is possibly one of the riskiest areas in the security landscape as it involved humans and effort.  I regularly hear from other IT folk that they have user accounts for people who left years ago.  Or perhaps more significantly that they had a user call up and ask why they couldn’t access their accounts. When they followed procedure it turned out that that person had been fired.

Wherever possible it is generally preferred to have a single place that handles account management.  This way less effort is needed and there should be fewer mistakes or items missed. That said, its not always possible and there are some circumstances where it is not desired.  First up, organisations may well elect to have a hybrid environment using Windows / Linux / Apple devices. Without effort and expertise, these machines don’t use the same authentication mechanisms and so need dealing with independently.  You might also find that for security purposes you have two different windows domains.  One that runs all your day-to-day user-facing desktops and one that looks after your backbone infrastructure.

Password Management for Individuals

Good clear policy documents and the associated training are important here. Given the risk involved and it being a human risk, the best way to mitigate it is to make your staff good at what they do.  Let us face it, you should want that anyway but this should make you want it more.

In one of my roles, we had a seasonal new user registration period. The registration period had quite literally many thousands of users wanting to get signed up in the space of a few days. 

The only way we could achieve it was to do the two following actions.

1. By automating the system as much as possible and
2. Hiring seasonal staff to cover the shortfall.

If you think about it. This could be incredibly risky, thankfully it worked for us as there weren’t huge amounts at stake.

Profile Management for Stronger Passwords

The last thing that should be considered with this is what could be described as profile management.  Profile management could mean a number of things depending on the context. But here it means making sure that any user directory contains appropriate and accurate information.  For example, you use Microsoft’s Active Directory, you have the ability to include postal addresses, extension numbers, mobile numbers etc. These can be used to create personalised email footers, keep a company phone book up to date etc. The short version is that these should be either used and kept up to date, or not used depending on the organisation’s policies.  Note, that fields in a users account profile could be considered sensitive and should be treated appropriately.

YGHT can help you secure your passwords and technologies. Contact us and together we will improve your cybersecurity