Passwords are our greatest security weakness

By Lachlan McKenzie, Centrify Country Manager, ANZ

The problem with passwords is that they’ve actually become the problem rather than the solution.

Although for decades we’ve relied on passwords to protect our computer systems from hackers, they are no longer fit for purpose.

The password has existed since antiquity, providing proof of identity for a traveller wanting to pass wary guards at the town gates. Computer security simply adapted this process to the digital age.

Passwords are intended to protect sensitive information from bad guys who want to steal or exploit it. As well as keeping our identities and data safe, they’re supposed to save our employers from joining the large list of corporations that suffer the operational and reputational damage caused by hacking.

But the threats that passwords are supposed to protect us from have actually lapped this defence mechanism. In a 24/7-connected world, passwords provide little more protection than a tissue in a rainstorm.

One problem is that people are lazy at creating effective passwords. Because we’re expected to memorise them, many people choose passwords that are easy to remember – to a ludicrous degree. Recent hacks reveal the most popular passwords include 123456, qwerty and, of course, password.

Passwords also fail because of poor security habits, such as password sharing. While Facebook and Twitter make sharing almost second nature, it’s unacceptable to share a password with a family member, a boss or a co-worker. Despite security warnings, a recent LastPass survey reports that 61 per cent of employees are more likely to share work passwords than personal passwords.

Those few people who maintain mindbendingly complex passwords often write them on a piece of paper or store them in a Word document to help remember them. Even if they commit them to memory, they may well reuse the same password for multiple logins or change them infrequently.

All of which are great security no-nos.

Best practice calls for passwords that are at least eight characters long, a mixture of letters, numbers, capitals and special characters and changed every month or three.

The killer point is that they must be unique for each program, app and online service you use.

This is security’s Catch-22: Effective passwords are too complex to remember, which means that if you can remember them, they’re not effective.

The result is that stolen passwords are a leading cause of data breaches. Verizon's 2016 Data Breach Investigations Report states that 63 per cent of confirmed data breaches involved weak, default or stolen passwords.

So the bottom line is that relying exclusively on passwords for protection is not just risky: It’s foolish.

Passwords are our greatest security weakness because they lull us into a false sense of security.

So if the password is the problem, what is the solution? The good news is this answer is well known.

Mature security standards such as SAML (Security Assertion Markup Language) - which incorporates Single Sign-On (SSO) and Identity Management - raise the security bar much higher than even the most rigorously observed password regime.

Individually, we should always use two-step authentication (2SA) - recently supported by Google - or multi-factor authentication (MFA) whenever they are available. Then, even if a password is stolen, a potential hacker has a higher barrier to overcome to access our applications, data and networks.

2SA and MFA are now easy to deploy, leveraging cloud-based systems to simplify implementation along with mobile and biometric technology to make them more intuitive and convenient.

By providing this level of security beyond passwords, we gain extra protection and time to implement even more advanced forms of authentication based on big data analytics and user behaviour.

It’s time to throw away the crutch of passwords which makes it easy for attackers to steal our stuff. Modern tools such as SAML, SSO and two-step or multi-factor authentication allow us to better protect our online selves.

If you want to learn more about life beyond passwords, click here to read about how Centrify's Identity Service improves end-user productivity and secures access to cloud, mobile and on-premises apps via single sign-on, user provisioning and multi-factor authentication.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity managementidentity theftpassword securityLastPassANZIT SecurityIdentity Protectionpassword protectioncyber security

More about 24/7CentrifyFacebookGoogleModernTwitterVerizon

Show Comments