How to overcome weak passwords
The importance of setting strong
passwords is hammered into us every week. We visit websites which have
registration forms that tell you how secure your chosen password is. We hear
about it on the news. We see it in emails we get every few months reminding us
to update our passwords. So, you'd have thought by now, that most people use
somewhat strong passwords, right? Unfortunately that's just not the case, and
it's quite likely that insecure passwords are some of the largest
vulnerabilities that exists in your organisation.
Let's take a look at Adobe's
data breach. It was a widely reported security disaster, whereby ~150 million
encrypted passwords were leaked, creating one of the biggest crossword puzzles
of all time. It didn't take long for people to start
trying to crack it, and within no time at all, a list of the 100 most commonly
used passwords were released. Of the 150 million leaked passwords, 1.9 million
were "123456", 450 thousand were "123456789" and 350 thousand
the famous "password". In total, 5.96 million of the passwords leaked
were in this top 100 list. About 4%. Now, if people are doing this with their
online accounts, what about their computer passwords? Company email
credentials? Intranet login details? Accounting software logins... It doesn't
take much for an attacker to test 100 common passwords against a few hundred
employees. How long will it be until they find a match, and compromise your
systems? Not long. What's an organisation to do about it, though? Weak
passwords are a lot like the flu of information security. A persistent problem
that we don't seem to be very good at solving. Lots of promising options have
so far been slow to replace passwords, but there are a few reasonable options
available to organisations.
1.
Single Sign-on
Single sign-on is all about
reducing the number of places your employees need to login. Combining systems
so that one remembered password is enough. This means that all employees can
use one secure password for their single sign-on login, and not have to worry
about any others, resulting in more secure password choices. The great thing
about single sign-on is that it also simultaneously improves productivity.
Employees spend less time trying to remember usernames, passwords, and phoning
up IT, and more time doing their job. Of course, single sign-on isn't without
its risks. If an employee's main password is compromised, all of the systems
they can access is compromised. This means that educating employees on secure
password best practices is vital.
2.
Biometrics
Biometrics are taking off
slowly, but offer an excellent opportunity for organisations to eliminate
passwords altogether. There are still issues, for example Lenovo's ThinkPads
had fingerprint scanners for authentication that were great for a while, but
once the sensors got dirty it took countless swipes to gain access, and a whole
load of user frustration. That's far from perfect. One promising area in
biometrics are voice recognition tools. There's some impressive technology
around like Nuance's voice biometrics solution that allows employees to
authenticate themselves with their voice.
3.
Bringing it Together With Two-Factor
Authentication
Perhaps the most favored way to
improve password security is to combine more than one authentication method. If
you're going to use single sign-on with a password, combine it with a second
method of authentication. For example, when someone signs-in, send a text
message to their mobile phone with a unique number they need to input to login
for that particular session. Another two-factor option available is to combine
a single sign-on password with biometrics. How about having users use voice
authentication in addition to their password? Two-factor authentication makes
life much harder for attackers. It's a much bigger challenge to acquire both
someone's password, and full access to their mobile phone, or a password and
their voice for authentication. So don't let password security get swept under
the mat. Think about how your company manages employee passwords, and what can
be done to improve the situation. It's too big of an issue to be ignored.
Mr. Manoj Kumar
Assistant Professor
Computer Science Engineering
Comments
Post a Comment