Passwords are our greatest security weakness

By Lachlan McKenzie, Centrify Country Manager, ANZ

The problem with passwords is that they’ve actually become the problem rather than the solution.

Although for decades we’ve relied on passwords to protect our computer systems from hackers, they are no longer fit for purpose.

The password has existed since antiquity, providing proof of identity for a traveller wanting to pass wary guards at the town gates. Computer security simply adapted this process to the digital age.

Passwords are intended to protect sensitive information from bad guys who want to steal or exploit it. As well as keeping our identities and data safe, they’re supposed to save our employers from joining the large list of corporations that suffer the operational and reputational damage caused by hacking.

But the threats that passwords are supposed to protect us from have actually lapped this defence mechanism. In a 24/7-connected world, passwords provide little more protection than a tissue in a rainstorm.

One problem is that people are lazy at creating effective passwords. Because we’re expected to memorise them, many people choose passwords that are easy to remember – to a ludicrous degree. Recent hacks reveal the most popular passwords include 123456, qwerty and, of course, password.

Passwords also fail because of poor security habits, such as password sharing. While Facebook and Twitter make sharing almost second nature, it’s unacceptable to share a password with a family member, a boss or a co-worker. Despite security warnings, a recent LastPass survey reports that 61 per cent of employees are more likely to share work passwords than personal passwords.

Those few people who maintain mindbendingly complex passwords often write them on a piece of paper or store them in a Word document to help remember them. Even if they commit them to memory, they may well reuse the same password for multiple logins or change them infrequently.

All of which are great security no-nos.

Best practice calls for passwords that are at least eight characters long, a mixture of letters, numbers, capitals and special characters and changed every month or three.

The killer point is that they must be unique for each program, app and online service you use.

This is security’s Catch-22: Effective passwords are too complex to remember, which means that if you can remember them, they’re not effective.

The result is that stolen passwords are a leading cause of data breaches. Verizon's 2016 Data Breach Investigations Report states that 63 per cent of confirmed data breaches involved weak, default or stolen passwords.

So the bottom line is that relying exclusively on passwords for protection is not just risky: It’s foolish.

Passwords are our greatest security weakness because they lull us into a false sense of security.

So if the password is the problem, what is the solution? The good news is this answer is well known.

Mature security standards such as SAML (Security Assertion Markup Language) - which incorporates Single Sign-On (SSO) and Identity Management - raise the security bar much higher than even the most rigorously observed password regime.

Individually, we should always use two-step authentication (2SA) - recently supported by Google - or multi-factor authentication (MFA) whenever they are available. Then, even if a password is stolen, a potential hacker has a higher barrier to overcome to access our applications, data and networks.

2SA and MFA are now easy to deploy, leveraging cloud-based systems to simplify implementation along with mobile and biometric technology to make them more intuitive and convenient.

By providing this level of security beyond passwords, we gain extra protection and time to implement even more advanced forms of authentication based on big data analytics and user behaviour.

It’s time to throw away the crutch of passwords which makes it easy for attackers to steal our stuff. Modern tools such as SAML, SSO and two-step or multi-factor authentication allow us to better protect our online selves.

If you want to learn more about life beyond passwords, click here to read about how Centrify's Identity Service improves end-user productivity and secures access to cloud, mobile and on-premises apps via single sign-on, user provisioning and multi-factor authentication.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity managementidentity theftpassword securityLastPassANZIT SecurityIdentity Protectionpassword protectioncyber security

More about 24/7CentrifyFacebookGoogleModernTwitterVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lachlan McKenzie

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts