The fact is that we are largely incapable of selecting different passwords for each use, let alone making each a complex string of unmemorable letters, symbols, and numbers. Interestingly Barclays Bank UK has said that passwords are out, and voice recognition is in – at least it has over 100 characteristics that can be measured. Other banks like HSBC will be implementing touch ID and facial recognition.
Microsoft has also beefed up its Windows 10 security, in particular extending Windows Hello to both facial recognition and other biometrics like fingerprints.
iTWire sought comment from Centrify, a leading enterprise identity management company. Lachlan McKenzie, ANZ manager for Centrify, warned that many Australian and New Zealand companies risk their IT security by over-relying on passwords. The remainder of the commentary is paraphrased.
The most disturbing observation I have found in my first year at Centrify is the blind faith businesses place in passwords. The fact is that compromised credentials are the leading attack vector for data breaches globally.
One problem is that people are lazy at creating effective passwords. Because we’re expected to remember them, many people choose passwords that are easy to recall – to a ludicrous degree. Recent hacks reveal the most popular passwords include 123456, qwerty and, of course, password.
If you must use passwords use a reputable password manager like LastPass or KeePass. Passwords must be:
- As long as possible – 10-15 characters
- A mix of alpha, numeric, symbols and upper and lower case
- Different – DO NOT USE the same or similar root section for multiple websites
- Never written down or shared or stored in plain text – use a password vault
Passwords also fail due to poor security habits, such as password sharing. Although we’re all warned not to share our passwords with family members or colleagues, people continue to do it.
Passwords can easy be sold on the dark web as evidenced by the majority of breaches coming from stolen or purloined credentials.
The solution to this password problem is well known - use mature security standards such as SAML (Security Assertion Markup Language) and use multi-factor authentication but the challenge is to encourage businesses to make this sort of protection a priority.
Last month, Rémy Cointreau, one of the world’s leading alcoholic beverage brands, (ITWire article here) reported it is using the Centrify identity management and mobile management platform to support its 1800 employees globally, who access, on average, 20 different cloud- and web-based applications per day.
iTWire has a further article from Centrify’s US-based VP, David McNeely here who also warns that an over-dependence on passwords and a reliance on passwords that provide “as much protection as a piece of paper in a rainstorm” leaves many organisations vulnerable to cyber threats.