Découvrez comment améliorer la sécurité de vos mots de passe dans la gestion des identités et des accès

At one company I worked for, we gave users an incentive for using more secure passwords. Once enrolled in the voluntary program, they were forced to change to a longer password, but the expiration was changed to one year instead of 90 days. Once enough people were voluntarily enrolled, we would force the new policy across the board.

To enforce a strong password policy in an IAM system, set requirements for password complexity, such as a minimum length and a mix of letters, numbers, and special characters. Implement password expiry to ensure passwords are regularly updated, and prevent users from reusing old passwords. Enable account lockout after a specified number of failed login attempts to deter brute-force attacks. Require two-factor authentication (2FA) for an added layer of security. Provide educational resources on creating strong passwords and recognizing phishing attempts. Regularly audit password policies and practices to identify and address vulnerabilities, ensuring a robust security posture.

Para definir a complexidade de senha é importante entender o negócio, regulamentações e clientes. Alguns frameworks, regulamentos e leis dão direcionamentos ou requerimentos quanto ao formato, complexidade e tamanho da senha. Para a realização do enforcement é uma boa prática a utilização de sistemas de gerenciamento de aceso como o AM ou IdP, que pode atuar como um centralizador da implementação da política de senha.

MFA is a potent tool in protecting your customer's accounts and identities. There are various flavors of MFA that may be implemented and the list keeps growing every day. However there are two important things to keep in mind. MFA is not a silver bullet, a good security posture is created by layering controls and polices. MFA may be the first step on your secure by design journey but don't let it be your last. Also keep in mind while some MFA methods are more robust then others choosing one, any one, will help increase overall security for your users. Don't let your organization become paralyzed by inaction in the search for perfection.

I'd also like to add that employees should be encouraged to use password vaults which can prevent the usage of same password through different domains.

Last updated on 3 oct. 2024

Comment appliquer des stratégies de mot de passe fort dans votre système IAM ?

Généré par l’IA et la communauté LinkedIn

La sécurité des mots de passe est un aspect essentiel de la gestion des identités et des accès (IAM), car il protège vos utilisateurs et vos ressources contre les accès non autorisés, les violations de données et les cyberattaques. Cependant, la création et l’application de stratégies de mot de passe fort peuvent être difficiles, en particulier si vous disposez d’une base d’utilisateurs importante et diversifiée, de plusieurs applications et systèmes et d’exigences de conformité différentes. Dans cet article, nous explorerons comment vous pouvez améliorer la sécurité de votre mot de passe en suivant certaines bonnes pratiques et en utilisant certains outils et techniques dans votre système IAM.

Des experts chevronnés contribuent à cet article

Sélectionnés par la communauté pour 35 contributions. En savoir plus

1 Définir la complexité des mots de passe et les règles d’expiration

L’une des premières étapes pour appliquer des politiques de mots de passe forts consiste à définir les normes minimales pour la complexité et l’expiration des mots de passe. La complexité des mots de passe fait référence à la longueur, aux caractères et à l’unicité des mots de passe, tandis que l’expiration du mot de passe fait référence à la fréquence à laquelle les utilisateurs doivent modifier leurs mots de passe. Vous devez définir ces règles en fonction de vos besoins en matière de sécurité, des préférences de l’utilisateur et des réglementations du secteur. Par exemple, vous pouvez exiger que les mots de passe comportent au moins 10 caractères, contiennent un mélange de lettres majuscules et minuscules, de chiffres et de symboles, et ne soient pas réutilisés ou similaires aux mots de passe précédents. Vous pouvez également demander aux utilisateurs de changer leurs mots de passe tous les 90 jours ou après un certain nombre de tentatives de connexion infructueuses.

Ajoutez votre point de vue

Sanjeev Ojha, CISM

Digital Identity, Access, Privilege & Governance| Cloud, Endpoint & Data Security | PAM, IAM, IGA, CIAM, ITDR| ZeroTrust, JIT, FIDO, Password-less, NHI, Compliance. CyberArk Guardian| SailPoint Identity Leader
Signaler la contribution
To enforce a strong password policy in an IAM system, set requirements for password complexity, such as a minimum length and a mix of letters, numbers, and special characters. Implement password expiry to ensure passwords are regularly updated, and prevent users from reusing old passwords. Enable account lockout after a specified number of failed login attempts to deter brute-force attacks. Require two-factor authentication (2FA) for an added layer of security. Provide educational resources on creating strong passwords and recognizing phishing attempts. Regularly audit password policies and practices to identify and address vulnerabilities, ensuring a robust security posture.

Texte traduit

J’aime
Davi Albergaria Coelho Gomes

Identity Product Management | CIAM & IAM | VSO, GPM | Pesquisa e Produtos Digitais de Identidade e Acesso
(modifié)
Signaler la contribution
Para definir a complexidade de senha é importante entender o negócio, regulamentações e clientes. Alguns frameworks, regulamentos e leis dão direcionamentos ou requerimentos quanto ao formato, complexidade e tamanho da senha. Para a realização do enforcement é uma boa prática a utilização de sistemas de gerenciamento de aceso como o AM ou IdP, que pode atuar como um centralizador da implementação da política de senha.

Texte traduit

J’aime
Stuart Thompson

Professional Services leadership. Identity and Access Management (IAM) Security specialist - Architect and Design. Coach, Mentor, Guide, Advisor. Currently building our new house.
Signaler la contribution
You only have to look at the history of password complexity (see UK comedian Michael McIntyres take on passwords) to see that it results in decreased security - users end up writing down passwords, or re-using the same "complex" password over multiple systems. Organisations should be moving away from using passwords and to using dynamic assurance combined with occasional MFA prompts to secure access to their systems

Texte traduit

J’aime
Swapnil Mukherjee

Security Engineer II at Fifth Third Bank | CBTS | Co-Founder at TripShare | IAM | DevOps
Signaler la contribution
Enforcing strong password policies in an Identity and Access Management (IAM) system starts with defining password complexity requirements, such as a mix of characters, numbers, and symbols, and setting expiration rules that prompt users to change their passwords regularly. It’s also crucial to educate users on the importance of strong passwords and motivate them to adhere to best practices. Implementing multi-factor authentication adds an extra layer of security. Regular monitoring and auditing of password activity help identify and mitigate potential vulnerabilities. Lastly, continuously reviewing and updating password policies ensures they remain robust and aligned with evolving security threats.

Texte traduit

J’aime
ABHISHEK AGRAWAL

17K+ | Senior Sailpoint Architect and Identity Access Management Practitioner at Wipro Limited | CISM | CC | AZ-900 | AI-900 I UAE Golden Visa Holder
Signaler la contribution
In enforcing strong password policies within an IAM (Identity and Access Management) system, I implement several measures. Firstly, I require passwords to meet complexity criteria, including length, special characters, and a mix of upper and lower-case letters. Secondly, I enforce regular password changes to mitigate the risk of prolonged exposure. Additionally, I implement multi-factor authentication (MFA) to add an extra layer of security beyond passwords. Lastly, I conduct regular security audits and provide user education on the importance of strong passwords to maintain a robust security posture.

Texte traduit

J’aime

Charger plus de contributions

2 Éduquez et motivez vos utilisateurs

Une autre étape importante pour appliquer des politiques de mots de passe forts consiste à éduquer et à motiver vos utilisateurs sur les avantages et les risques de la sécurité des mots de passe. Vous devez fournir des conseils clairs et cohérents sur la façon de créer et de gérer des mots de passe, tels que l’utilisation d’une phrase secrète, l’évitement des informations communes ou personnelles et l’utilisation d’un mot de passe différent pour chaque compte. Vous devez également expliquer les conséquences des mots de passe faibles ou compromis, tels que le vol d’identité, la perte de données ou la responsabilité légale. Vous pouvez utiliser différentes méthodes pour communiquer et inciter vos utilisateurs, telles que les bulletins électroniques, les messages contextuels, la gamification ou les récompenses.

Ajoutez votre point de vue

Dave Blankenship

Seasoned Cybersecurity Leader | Identity and Access Expert | Aspiring Woodworker
Signaler la contribution
At one company I worked for, we gave users an incentive for using more secure passwords. Once enrolled in the voluntary program, they were forced to change to a longer password, but the expiration was changed to one year instead of 90 days. Once enough people were voluntarily enrolled, we would force the new policy across the board.

Texte traduit

J’aime
ABHISHEK AGRAWAL

17K+ | Senior Sailpoint Architect and Identity Access Management Practitioner at Wipro Limited | CISM | CC | AZ-900 | AI-900 I UAE Golden Visa Holder
Signaler la contribution
To foster a positive attitude towards strong password policies, Firstly, I arrange training sessions, highlighting the importance of cybersecurity, the role passwords play & real-world examples of breaches & consequences. Offer incentives for compliance i.e. recognition programs for adhering to password policies. Additionally, I create a supportive environment where staff feel comfortable asking questions regarding password management tools. I emphasize the convenience & benefits of strong passwords, showcasing how they contribute to a safer work environment & protect personal data. By promoting a culture of security awareness & empowerment, we motivate staff to support strong password policies willingly rather than seeking ways around.

Texte traduit

J’aime
Michelle R. Sheley
Signaler la contribution
Use Microsoft tools like Entra password protection to detect known passwords and make recommendations to users to change their insecure password

Texte traduit

J’aime
Hector Teran

Director, Customer Success Manager | Business Relationship Manager
Signaler la contribution
Teaching and motivating users about password security is key, but there are some surprising challenges. Too much info can overwhelm people, and focusing too much on risks can make them anxious and avoid the topic. Gamification might lead users to chase rewards instead of understanding security. Relying on rewards could also mean they only follow rules for prizes. Too many messages can make them tune out, and assuming everyone has the same tech skills can backfire. Personalized advice needs to respect privacy, and mandatory training can cause resentment. Instead, keep the information simple, engaging, and well-timed to make password security lessons effective.

Texte traduit

J’aime
Rakesh Krishnamoorthy

Identity and Access Management Analyst @ Orion Labs | IAM-SailPoint IIQ | PAM-CyberArk | Active Directory | Powershell
Signaler la contribution
1. Educate users on the importance of logging out of their systems before leaving their workstations, even for short periods. 2. Encourage users to avoid storing passwords in easily accessible formats like notepads or sticky notes. 3. Emphasize the importance of not sharing passwords with colleagues and avoiding using easily guessable information, such as birthdays or common words.

Texte traduit

J’aime

Charger plus de contributions

3 Mettre en œuvre l’authentification multifacteur

Une troisième étape pour appliquer des politiques de mot de passe fort consiste à implémenter l’authentification multifacteur (AMF), ce qui ajoute une couche de sécurité supplémentaire à votre processus de connexion. MFA exige que les utilisateurs fournissent non seulement leur mot de passe, mais aussi un autre facteur, tel qu’un code envoyé sur leur téléphone, un scan biométrique ou un jeton matériel. L’authentification multifacteur réduit le risque de craquage de mot de passe, de phishing ou de bourrage d’informations d’identification, car il est plus difficile pour les attaquants d’accéder à vos comptes. Vous pouvez utiliser divers outils et techniques pour activer l’authentification multifacteur dans votre système IAM, tels que les SMS, les e-mails, les notifications push ou les applications tierces.

Ajoutez votre point de vue

Titus James

Collaboration & IDM Manager for King's College London
Signaler la contribution
MFA is a potent tool in protecting your customer's accounts and identities. There are various flavors of MFA that may be implemented and the list keeps growing every day. However there are two important things to keep in mind. MFA is not a silver bullet, a good security posture is created by layering controls and polices. MFA may be the first step on your secure by design journey but don't let it be your last. Also keep in mind while some MFA methods are more robust then others choosing one, any one, will help increase overall security for your users. Don't let your organization become paralyzed by inaction in the search for perfection.

Texte traduit

J’aime
ABHISHEK AGRAWAL

17K+ | Senior Sailpoint Architect and Identity Access Management Practitioner at Wipro Limited | CISM | CC | AZ-900 | AI-900 I UAE Golden Visa Holder
Signaler la contribution
Implementing multi-factor authentication (MFA) enhances security by requiring an additional verification alongside passwords, like a code sent to a phone or biometric scan. MFA mitigates risks of password hacking and phishing, bolstering account protection against unauthorized access. Various methods, including SMS, email, or third-party apps, can enable MFA in IAM systems.

Texte traduit

J’aime
Stuart Thompson

Professional Services leadership. Identity and Access Management (IAM) Security specialist - Architect and Design. Coach, Mentor, Guide, Advisor. Currently building our new house.
(modifié)
Signaler la contribution
Some of this is outdated. SMS, Email methods are too open to attack by bad actors. TOTP via secure channels should be the main method for implementing MFA, including pattern matching techniques e.g. show a number, the use has to choose it in a mobile app. Beware of MFA fatigue - yes this is a real thing. User experience can suffer greatly if MFA is deployed widely and unnecessarily.

Texte traduit

J’aime
Rakesh Krishnamoorthy

Identity and Access Management Analyst @ Orion Labs | IAM-SailPoint IIQ | PAM-CyberArk | Active Directory | Powershell
Signaler la contribution
Implementing MFAs provides an additional layer to security. There are three common methods of authentication: ● Something you know: Passwords (Complexity and password change policies has to be determined). ● Something you have: Tokens. (Authenticator and google duo). ● Something you are: Biometrics (facial recognition and fingerprints). Out of these 3, at least 2 layers should be implemented for the enhanced security.

Texte traduit

J’aime

Charger plus de contributions

4 Surveiller et auditer l’activité des mots de passe

Une quatrième étape pour appliquer des stratégies de mot de passe fort consiste à surveiller et à auditer l’activité des mots de passe, ce qui vous aide à détecter et à prévenir tout comportement suspect ou malveillant. Vous devez suivre et analyser diverses mesures et événements liés à la sécurité des mots de passe, tels que les modifications de mot de passe, les réinitialisations de mot de passe, les échecs de mot de passe, les verrouillages de mot de passe ou les violations de mot de passe. Vous devez également configurer des alertes et des notifications pour toute anomalie ou violation, telle que des emplacements, des appareils ou des heures de connexion inhabituels, ou des tentatives répétées de mot de passe. Vous pouvez utiliser divers outils et techniques pour surveiller et auditer l’activité des mots de passe dans votre système IAM, tels que les journaux, les rapports, les tableaux de bord ou les analyses.

Ajoutez votre point de vue

Shrinjaya Ghosh

Senior Information Security Analyst - Deutsche Bank || Ex-Conduent || Ex- Wipro || Blogger - ThePowerBlogs(Instagram)
Signaler la contribution
Passwords are the key to secure and seamless functioning of the cyber world. Any infringement on the methods of password protection warrant an RCA of the breaches and failures. It is essential that regularly monitoring password activities can increase the strength and complexity of these credentials. Several companies can invest in password tracking and monitoring systems which would not only reveal the weak links in their password protection mechanisms, but also build ways to increase the potential of creating and managing strong passwords through dashboards, metric analysis and notifications for anomalies noticed otherwise.

Texte traduit

J’aime

Charger plus de contributions

5 Vérifier et mettre à jour vos stratégies de mot de passe

Une cinquième étape pour appliquer des politiques de mots de passe forts consiste à examiner et à mettre à jour régulièrement vos politiques de mot de passe, ce qui vous aide à vous adapter à l’évolution du paysage de la sécurité et aux commentaires des utilisateurs. Vous devez évaluer l’efficacité et l’efficience de vos stratégies de mot de passe, telles que leur capacité à atteindre vos objectifs de sécurité, leur facilité à suivre et à appliquer, et la satisfaction de vos utilisateurs. Vous devez également tenir compte des dernières tendances et des meilleures pratiques en matière de sécurité des mots de passe, telles que l’utilisation de l’authentification sans mot de passe, des gestionnaires de mots de passe ou de l’authentification unique. Vous pouvez utiliser divers outils et techniques pour examiner et mettre à jour vos stratégies de mot de passe dans votre système IAM, tels que des enquêtes, des formulaires de commentaires, des tests ou une configuration.

Ajoutez votre point de vue

ABHISHEK AGRAWAL

17K+ | Senior Sailpoint Architect and Identity Access Management Practitioner at Wipro Limited | CISM | CC | AZ-900 | AI-900 I UAE Golden Visa Holder
Signaler la contribution
Regularly reviewing and updating password policies is crucial for adapting to security changes and user needs. Assess effectiveness, ease of use, and satisfaction, and incorporate trends like passwordless authentication and single sign-on. Tools like surveys, testing, and configuration adjustments aid in policy refinement within your IAM system.

Texte traduit

J’aime
Michelle R. Sheley
Signaler la contribution
Businesses should make it mandatory for employees to log out of their computers once they leave their workstations. Employees must sign out from all accounts that are not in use to prevent insider threats and hackers from accessing confidential information. To ensure everyone adheres to the policy, system administrators should set computers to lock or sign out after a given period when they are not in use. Furthermore, users should revoke permissions granted to third-party applications integrated with the main account. Hackers can attack applications with weaker security to gain access to the main account.

Texte traduit

J’aime

Charger plus de contributions

6 Voici ce qu’il faut prendre en compte

Il s’agit d’un espace pour partager des exemples, des histoires ou des idées qui ne correspondent à aucune des sections précédentes. Que voudriez-vous ajouter d’autre?

Ajoutez votre point de vue

Mert Ayaz

Identity and Access Management Architect
Signaler la contribution
I'd also like to add that employees should be encouraged to use password vaults which can prevent the usage of same password through different domains.

Texte traduit

J’aime
Kenny Paton

Account Director Scotland and NI Manager at Idenprotect, Enabling the adoption of Secure Cloud Identity for Scotland and Northern Ireland Marketplace
Signaler la contribution
Move away from passwords altogether using the likes of Okta, less IT support required, great staff user and customer experience.

Texte traduit

J’aime
Mohamed Mahrous

Cybersecurity Identity Access Management Manager | Privileged Access management | ISO 27001 LI
Signaler la contribution
Educate users about the importance of strong password practices and the risks associated with weak or compromised passwords , Establish clear and comprehensive password requirements based on industry best practices and security standards ,Set password expiration policies to prompt users to change their passwords regularly , Enable multi-factor authentication to add an extra layer of security beyond passwords , Implement account lockout policies to prevent unauthorized access due to repeated failed login attempts .

Texte traduit

J’aime
Sashikanth Elluri

Identity and Access Management | Identity Governance & Administration | Saviynt & Radiant logic Certified | Single Sign On | SAML | OAUTH2/OIDC| MFA | Ex. Identity Architect at Simeio
Signaler la contribution
For enhanced security, combine a strong password policy with MFA. MFA adds an additional layer of protection by requiring a second form of authentication (such as a text message or authentication app) along with the password. Some common password mistakes to avoid; - Reusing the same password - Changing passwords with a single character - using personal information in passwords - Sharing passwords with others - Passwords that are Too short - Insecurely storing passwords - Using common passwords, which are easily guessed by attackers.

Texte traduit

J’aime
Chris Holt

Recruiter Contract | Perm | Talent Solutions. Recruitment. Cyber Security | Identity | +447884666351 Chris.holt@dclsearch.com
Signaler la contribution
Having the right people in the business is the key. From defining the policies, monitoring and evaluating their effectiveness and user awareness. Employ or engage the right team and the rest is straightforward. To do this reach out to DCL Search. Contact me on 07884666351 or chris.holt@dclsearch.com

Texte traduit

J’aime

Charger plus de contributions

Gestion des identités et des accès (IAM)

+ Suivre

Notez cet article

Nous avons créé cet article à l’aide de l’intelligence artificielle. Qu’en pensez-vous ?

Il est très bien Ça pourrait être mieux

Signaler cet article

Tout voir

Comment appliquer des stratégies de mot de passe fort dans votre système IAM ?

1

2

3

4

5

6

1 Définir la complexité des mots de passe et les règles d’expiration

2 Éduquez et motivez vos utilisateurs

3 Mettre en œuvre l’authentification multifacteur

4 Surveiller et auditer l’activité des mots de passe

5 Vérifier et mettre à jour vos stratégies de mot de passe

6 Voici ce qu’il faut prendre en compte

Gestion des identités et des accès (IAM)

Notez cet article

Nous vous remercions de votre feedback

Plus d’articles sur Gestion des identités et des accès (IAM)

Lecture plus pertinente