Simple passwords rule the day in mobile world

Nearly 80 percent of smartphone and tablet users choose simple pass codes to protect their devices from unauthorized use, according to an analysis released recently by a maker of mobile device management solutions.

While 85 percent of some 200,000 mobile devices analyzed by Fiberlink had their pass code feature turned on as required by company policy, most of those devices (93 percent) were using simple pass codes to protect the devices.

Fiberlink defined a simple pass code or PIN as a password made up of all numbers or all letters. Of the mobile devices using simple pass codes, almost three quarters (73 percent) had one with a length of four to five characters.

Only 7 percent of the devices analyzed by the company had a complex or alphanumeric pass code. Fiberlink defines a complex password as one made up of letters, numbers and special characters.

"IT is saying it doesn't have the desire to enforce complex passwords on a device that's so heavily balanced between personal use and corporate use,"Ã'Â Jonathan Dale, product marketing manager for Fiberlink, said in an interview.

The devices themselves may be contributing to the use of simple pass codes. "It's a usability thing more than anything," said Jamie Cowper, a senior director for Nok Nok Labs.

"The temptation is to go as simple as you can, because long, complex passwords are next to impossible on a small screen in a timely correct fashion," Cowper told CSOonline.

"The balance between security and ease of use has shifted a bit in the mobile space," he said. "You can't ask the same things of a mobile user that you might have done at a desktop machine."

Bill Carey, vice president of Siber Systems, a maker of a password management software, said thatÃ'Â ease of typing definitely influenced password choice. "If you're at your computer, you're more inclined to use a more difficult password -- something with capital letters and numbers," Carey said in an interview. "But on mobile devices, people don't like typing on those so they're more likely to keep their passwords short."

[In-depth on mobile:Ã'Â The dangers of QR codes for security]

On the other hand, smartphones have standard features that can be used to authenticate a user that desktop and laptop systems may not have. "Location-based services can be used and biometric information -- voice and face -- as well," Nok Nok's Cowper said.

"Fingerprint sensors will be on these devices in the near future, possibly next month with Apple's iPhone announcement," he said.

Fiberlink also discovered that the industry which had the highest percentage of devices required to have their pass code feature activated was health care (97 percent), followed by professional services (87 percent), public sector (85 percent), consumer-retail (81 percent), financial services (79 percent), manufacturing (78 percent) and education (41 percent).

However, health care is in the middle of the pack when it comes to the number of devices that have alphanumeric or complex pass codes on them (4 percent). The public sector had the highest number of mobile devices with alphanumeric or complex passwords (18 percent) and education the lowest (1 percent).

Fiberlink's Dale said he was surprised that financial services ranked near the bottom of the table of industries that required its mobile devices to use pass codes. A trend in the industry may have affected that number, he hypothesized.

"Organizations are starting to enforce pass codes only for corporate data and not device data," Dale said. "Companies are putting more restrictive pass codes and permissions around the corporate data on a device and not caring about the pass codes on the device level."

"Let's face it, IT doesn't care about you getting into your phone to text and tweet," he said. "Since our analysis only looked at pass codes used to access a device, that trend wouldn't show up in our data."

With all the flack passwords have received as an authentication method, some commentators have predicted their demise.

Silber's Carey isn't one of those doomsayers. "I'm not sure that anytime soon there's going to be a complete alternative to passwords," he said. "There might some complements to passwords but not necessarily alternatives."

"There have been alternatives for awhile," Carey said. "But none of them seems to have caught on. I think there is a need for passwords and there will always be a need for passwords."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags pass codeapplicationssecuritymobile securitysoftwareData Protection | Wirelessdata protectionsimple passwordmobile passwordFiberlink

More about AppleBillQRSiber Systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts