Consumers are bad at passwords. So are companies, and they’re also bad at mandating effective authentication. As a result of this poor cyber hygiene, end users are at greater risk of having personal data stolen or accounts compromised, while businesses could face costly and time-consuming PR and remediation efforts.
As noted by Dark Reading, World Password Day is May 4, offering an ideal time for organizations and employees to take a hard look at bad cyber habits and clean up their acts.
Rolling the Dice With Poor Passwords
Passwords have been on the cyber chopping block for years now. But in the same way new communication tools can’t seem to knock email out of top spot, passwords remain the go-to for most e-commerce accounts, social platforms and corporate networks.
The problem is that users are really bad at choosing decent passwords. For example, Forbes reported that the most popular passwords in 2016 were “123456” and “password.” Alarmingly, these passwords also topped the list in 2015 and 2014.
The Dark Reading piece, meanwhile, noted that 70 percent of end users have seven or fewer passwords across all their online accounts, so it’s no surprise that 81 percent of hacking-related breaches examined by the “2017 Verizon Data Breach Investigation Report (DBIR)” tapped weak or stolen passwords. Even IT security pros aren’t off the hook, with 53 percent still using the same social network passwords they did last year, while 20 percent have never changed their passwords.
On the corporate side of the equation, many companies still aren’t using multifactor authentication (MFA). The DBIR described this as “rolling the dice” when it comes to device compromise from reused access credentials.
Cleaning Up for World Password Day
Ars Technica recently pointed out some less-than-stellar authentication designs. Its example not only allowed four-character passwords, but it also sent users a PIN in plaintext via email. What’s more, there was no mechanism to reset credentials, meaning that even if a breach occurred, users are stuck with the same problematic password.
Add in the predilection of users to select easy-to-remember and easy-to-guess passwords, then reuse them across multiple sites and never change them, and it becomes clear that even the necessary attention drawn by World Password Day won’t be enough to solve this security issue.
So what’s the solution? First, companies need to recognize that passwords won’t disappear overnight; better management is required to limit theft and reuse. Ideally, businesses should balance the need for better security hygiene with user convenience. It’s a good idea, for example, to require at least eight characters for any password, including one number or symbol. Then leverage controls that prevent employees from reusing passwords and restrict access unless passwords are regularly changed.
The next step is adaptive authentication. The idea here is to tap emerging authentication protocols, such as biometric tools and location-specific identifiers, and combine them with open source initiatives to develop universal, adaptable and secure standards that provide maximum convenience across multiple devices without compromising corporate security.
Scrubbing Out Poor Passwords
Passwords are a big problem. Users make terrible choices, and companies often overlook bad habits in favor of enterprise expediency. But cybercriminals are cleaning up, using and reusing bad passwords to compromise accounts.
World Password Day calls out the need for better cyber hygiene, but that’s only half the battle. Adaptive authentication, combined with evolving open standards, are required to help scrub out this security issue.