Do Passwords Really Have to be Such a Pain?
Strong passwords are critical for effective cybersecurity but they’re also a headache. In an ever-more threatening landscape, the weakest link in the system is the individual user, and their propensity for weak passwords.
“We’re going to continue to see breaches based on people not doing basic things... like using default passwords or not patching – which [is] going to continue to lead to large breaches,” says Alex Hamerstone, Governance, Risk and Compliance Practice Lead at TrustedSec.
A good security system is one that people actually use. If the security team insists on passwords that can’t be memorised or that have to be changed on a monthly basis, then staff will inevitably tape notes to their monitors – opening up enormous holes in the system.
Many of those who gave this type of advice in the past have now changed their minds. Bill Burr, the author of the US National Institute of Standards and Technology (NIST)’s cybersecurity advice, told The Wall Street Journal, “[My recommendations were] probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree. It just drives people bananas and they don’t pick good passwords no matter what you do. Much of what I did, I now regret.”
SplashData, meanwhile, publishes an annual Worst Passwords List, based on millions of passwords leaked in data breaches.
The five worst offenders for 2017 were:
In the 2016 edition, the 25 weakest passwords accounted for 10% of all passwords surveyed – and the worst (123456) accounted for 4% all on its own. In short, trying “123456” will grant immediate access to 1 in 25 accounts. Using the same character repeatedly, or using your account name, email address or the page URL is likely to be equally problematic.
These lists illustrate the importance of using more complex, unique passwords – rather than leaving the door wide open. Of course, these lists also illustrate a second order threat. If you use the same password on multiple accounts (which 80% of users do, according to Keeper Security) then having your password cracked on one platform could endanger your security across a whole range of services if your usernames can be guessed – threading back from a little-used forum account to your primary email, for example.
And one of the reasons that these lists exist is the fact that some sites still store passwords without encryption – meaning that they can then be stole en masse. As Marco Essomba, founder of iCyber-Security, notes, this presents a critical threat.
An approach to developing stronger passwords that has been popular in recent years is to use a series of words linked by numbers – for example “floating35wonderfully”, which is long and reasonably memorable.
And among the strongest measures available is the use of password managers like LastPass and 1Password, which allow users to store hundreds of passwords – and to save extremely strong passwords that would be impossible for the individual to recall. However, these platforms have yet to make it to the mass market and are arguably inaccessible for consumer users.
Biometrics have begun to make inroads with facial recognition and fingerprint scanners being deployed on mobile phones. But broader usage may be problematic – after all, once your DNA or “eye print” is stolen, then it’s gone for good. Other solutions include monitoring other indicators such as system specs and user location as well as behavioural biometrics, like mouse movements and keystroke patterns.
Where double verification is available then use is advised – whether it takes the form of an SMS passcode sent to a smartphone or Google’s yes/no verification scheme.
“Human beings are lazy when it comes to creating passwords,” notes Marco. “However, more worryingly, computing power is increasing dramatically. There are password-cracking tools available today that can guess passwords using brute force computational algorithms in a relatively short period of time – and with the advent of quantum computing, this threat will increase exponentially. This is why two-factor authentication is absolutely critical. And, in my opinion single-password authentication should be banned completely.”
One solution for providers is to limit the number of times incorrect passwords can be entered – making cracking far more difficult. Equally, as passwords become longer, then they become exponentially more difficult to solve (provided they don’t follow a predictable pattern). However, the user still has to remember the password for it to work, of course.
So, What’s The Solution for The Man on The Street?
• Turn on double verification wherever possible
• Don’t use the same passwords for multiple accounts
• Don’t just use a name or a noun – try to use a mix of letters, numbers and special characters
• Make sure that it’s something you can easily remember.
Perhaps most importantly, security professionals need to explain why good security is needed. Passwords are not intended to obstruct the user but to safeguard their account and the information stored in it.
Equally, phishing can only be addressed by education – users should be aware that if someone is asking for account details or an unusual email has directed them to a login page, then they should be aware that they may be getting scammed.
Ultimately, strong security lies in programmes that are geared towards the user’s needs. Making access as easy as possible will hence ensure that the appropriate security measures are used – rather than being circumvented by impatient users.
Browse Our Latest Tech RolesCurrent Vacancies
Empiric is a multi-award winning business and one of the fastest growing technology and transformation recruitment agency's specialising in data, digital, cloud and security. We supply technology and change recruitment services to businesses looking for both contract and permanent professionals.
Read more (pdf download)
Empiric are committed to changing the gender and diversity imbalance within the technology sector. In addition to Next Tech Girls we proactively target skilled professionals from minority groups which in turn can help you meet your own diversity commitments. Our active investment within the tech community allows us to engage with specific talent pools and deliver a short list of relevant and diverse candidates.
For more information contact
02036757777To view our latest job opportunities click here.