TODAY’S CIO
Winter 2014
Hack your way
to faster growth
What are
Bitcoin’s chances?
Agile firms choose
flat hierarchies
A special focus
on big data
Security
Can self-service increase
usability and security?
By Kevin Sullivan,
Specops Software
WHY SHOULDN’T END USERS manage
simple IT tasks, like password reset
themselves? The bulk of all service
desk calls are related to passwords,
the backbone of access security in
most organisations. IT self-service
can help reduce costs and deliver
additional benefits such as increased
availability, improvements in service
levels and user experience by pushing
simple IT tasks to end-users.
It should be noted however, that IT
self-service isn’t the miracle worker
we’d like it to be. In fact, companies
regularly fail at successfully
implementing self-service solutions
and miss out on real values. If the
challenge was purely a technical one,
it would have been solved years ago.
Instead, it’s time to look at the people
factor, and where IT self-service makes
sense, to realise self-service goals.
The concept builds on empowering
end users to solve simple IT problems
themselves, such as password resets.
Password resets make up nearly 40
percent of all calls to the service desk,
according to analyst firm Gartner.
Educating users on password security
and providing the tools to manage
this themselves will result in major
cost savings for the service desk.
Regardless of your access security
strategy, passwords probably play
an important role. The smartphone
revolution has made passwords
indispensable for protecting sensitive
data, as confidential company
information is in your users’ pockets.
Measuring password security
There is a proliferation of password
strength metres around the internet.
Each has its own algorithm and its own
presentation. They seem to be relatively
consistent and all work off of entropy
or the degree of randomness in the
password possibilities. Some password
metres sites to take a look at include:
■ https://howsecuireismypassword.
net
■ http://www.passowordmeter.com
■ https://www.grc.com/haystack.htm.
If you think about the basics of
the guessing game or brute force
attacks it all becomes very clear.
Imagine you are guessing a single
character and it can only be a digit,
what possibilities exist? Simple right?
There are 10 possibilities, 0 – 9. OK,
guess a single character that can be
a letter? 26 possibilities correct?
What if I ask you to guess a letter but
you need to specify upper or lower
case? 52 possibilities. It is easy to see
that as you add options, you increase
entropy. This is an oversimplification
but it proves the point: there is
always a finite set of options.
Longer passwords are stronger
passwords. It really is just maths. An
8 character password with just upper
and lower case and numbers gives us
53,459,728,531,456 possibilities.
A brute force attack or just random
guess on a reasonable computer
speeds up the attack process to a
point where passwords are guessed in
minutes or hours. Most of the above
password strength metres calculate
at 1000 guesses per second.
Today’s CIO
37
Security
Why passphrases increase password security
Making passwords as secure as possible and easy for
users to manage themselves is the balancing act that
many organisations are struggling with. Passphrases
offer a solution to the problem since these are
longer passwords that are harder for computers
to crack and easier for users to remember.
A 20 character passphrase only using alpha characters
is much stronger than an 8 character password with
complexity because of the number of possibilities, and the
resulting amount of time required to hack the password.
You might ask: how can passphrases be easier to
remember than shorter passwords? The following
passphrases are a few examples of how passwords
can be long but still easy to remember.
■ This is an amazing password!
■ IThinkChopinIsTheBest
■ My new password, P@ssw0rd, is very strong!
■ Chocolate newt sloth envy picture honeypot?
Are they hard to remember? Not at all. When you allow
users to create passphrases, it reduces the number of
account lockouts and supports self-service password
reset. It also further strengthens password security in
your organisation because users no longer need to resort
to insecure ways of remembering passwords such as
writing them down or entering them in their devices.
Why doesn’t everyone use passphrases?
People are resistant to change, but just like showing the
value of self-service, you can show users that passphrases
are easier to remember and result in fewer account lockouts.
When they realise passphrases are easier than complex
passwords they adopt the concept very quickly. Educating
users on how to best manage their passwords, and combining
that with technologies that allow you to create policies
to enforce rules for your users, are both critical items.
There are other concerns though. In most business
situations the user’s identity is actually an amalgam
of many different digital identities. A user will have an
account in Active Directory, maybe SAP, Office 365,
Google Apps, Oracle databases, SQL, AS400… it is never
quite as simple as a single account. What if a certain
system has a rule such as the ‘?’ can’t be used as the
first character, or maybe the system only supports up
to 16 characters in a password? The more complex the
scenarios, the greater the need to find solutions that build
upon your existing password management environment
and ensure users can manage their own passwords.
Usability and security in harmony
Password security and self-service programs both benefit
from putting the user’s needs first. If you create overly
complicated password rules, people will resort to writing
down their passwords or repeatedly locking themselves out.
This is where self-service password reset plays an important
role. Put reasonable security rules in place and then give
people the ability to manage passwords themselves.
38
Today’s CIO
While many organisations have launched a solution
to address some aspects of the password reset burden,
few have succeeded in eliminating this type of service
desk call. The reasons are plentiful; low adoption, lack
of knowledge about the service, limited buy-in from
other departments, service is too complicated, or there
are no consequences for not using self-service.
The fact is that people resist change. Convincing
users of the cost savings for the organisation, isn’t
the way to increase adoption. There are very few
individuals that will adopt a change in behaviour for
the company’s financial gain only. If you can show the
value of the change you are making and connect this
to a true need of users, you will see adoption.
Planning starts with people
The people problem starts before a solution is selected,
when an organisation is still discussing what they want to
achieve. This planning must include the representation of
different groups within the organisation – from Human
Resources to line managers to Communications and
end-user advocates. The primary goal of IT, for example
lowering operational costs for the service desk, may
not be the only concern for the other groups. Their input
and perspective will help drive successful adoption.
Once a solution is selected it’s time to plan. Identify
the target audiences that are critical to the success
of the implementation project. Target audiences have
different needs and using a simple communication
model can show how to tailor messaging appropriately.
Ask yourself “what do I want target audience X to know,
feel and do?” Plan implementation activities based on
addressing each group, using the support of the other
parts of the organisation that are involved in the project.
The easiest way to gain acceptance and adoption is
to show the value for the individual. Use the findings
from the simple communication model to tell each group
how their lives will be better thanks to IT self-service
for password management. Values could include: 24/7
availability, faster service, faster escalation, and increased
productivity. Showing the value, not just talking about
it, is very effective at increasing understanding. Use the
service desk to follow through on the self-service message
by directing people to self-service, or guiding them
through the process the first time they get in touch.
Author information
Kevin Sullivan is the Director of Solutions Architecture
at Specops Software and a former Program Manager
at Microsoft. Specops Software develops solutions for
password and desktop management which extend the
functionality of Windows infrastructure and make lives
easier for IT pros through simplicity, self service and
automation.