The problem with passwords is they’re no longer fit for purpose.
The threats that passwords aim to protect us from have actually lapped this defence tool. In a 24/7-connected world, passwords are now the problem rather than the solution.
Niall King is the senior Asia Pacific sales director for digital security company Centrify.
Passwords are intended to defend our private information from bad guys who want to steal or exploit it. As well as keeping our identities and details safe, they should protect our suppliers from joining the long list of corporations that are hacked and then publicly exposed – the latest example being Yahoo.
But they don’t work. Research reports that stolen passwords are a leading cause of data breaches. Verizon's 2016 Data Breach Investigations Report states that 63 per cent of confirmed data breaches involved weak, default or stolen passwords.
One reason is that people are poor at creating effective passwords. Because we expect to remember them, many people choose passwords that are easy to recall – to a ludicrous degree. Recent hacks reveal the most popular passwords include 123456, qwerty and, of course, password.
Passwords also fail because of poor security habits, such as password sharing. While Facebook and Twitter make sharing second nature, it’s dangerous to share your password with a family member, a friend or a colleague.
People who use complex passwords often write them on a piece of paper or store them in a Word file for easy use. Even if they remember them, they may well reuse that same password for multiple logins or change them infrequently.
All of which are security no-nos.
Best practice calls for passwords that are at least eight characters long, a mixture of letters, numbers, capitals and special characters and changed every month or three.
The killer point is that they must be unique for each program, app and online service you use.
This is security’s Catch-22: Effective passwords are too complex to remember, which means that if you can recall them, they’re not effective.
So the bottom line is that relying exclusively on passwords for protection is not just risky: It’s foolish.
Passwords are our greatest security weakness because they lull us into a false sense of security.
So if the password is the problem, what is the solution? The good news is this answer is well known.
Mature security standards such as SAML (Security Assertion Markup Language) - which incorporates Single Sign-On (SSO) and Identity Management - raise the security bar much higher than even the most rigorously observed password regime (including password vaults).
Multi-factor authentication (MFA) grants access only after successfully presenting more than one “factor” to an authentication mechanism – typically something we know e.g. password or passcode; something we have e.g. an ATM card or security token, or something we are e,g, biometrics.
You should use MFA whenever it’s available, so that even if your password is stolen, a hacker has to jump a higher hurdle to access your account.
MFA systems should be easy to use and hard for hack. That’s why biometrics are becoming popular. A fingerprint is hard to steal or crack. So is a retina scan.
MFA is now easy to deploy, more intuitive and convenient due to the cloud and consumer-available mobile and biometric technology.
To learn more about life beyond passwords, read about Centrify's Identity Service.