How to Mitigate Bad User Passwords
This article was revised September 20, 2016, to bring our readers the most up-to-date technology information.
User passwords are among the more maligned security mechanisms in the business world. This is largely because they tend to be misused, and can actually end up becoming security liabilities, rather than effectively protecting companies against unauthorized access to corporate assets.
Unfortunately, plenty of people do not take user passwords seriously enough, and opt for convenience rather than vigilance when creating and using them. This can lead to passwords becoming the weakest link in information security strategies.
Given this scenario, what’s the future of user passwords? They will not likely go away any time soon; namely, because of the prevalence of the password concept for access to applications, online accounts, etc. However, vendors are working to make it easier to use passwords, or to develop alternate access techniques that make it possible to avoid using them altogether.
The most prevalent problem with user passwords
One of the biggest problems with user passwords is that there is an abundance of easy to guess, common internet passwords, rather than truly safe entry points that would be difficult for an intruder to track. This makes sense because it’s natural for users to want instant access to apps or accounts.
In its latest annual listing of the 25 most common internet passwords, SplashData notes these “worst passwords” will expose anyone to being hacked or having their identities stolen. The fourth annual report, which the company compiled using data culled from more than 3.3 million leaked passwords, finds that "123456" and "password" continued to rank at the top of list of most common passwords.
Simple numerical passwords have remained common over the years, with nine of the top 25 passwords on the list including numbers only. The most common passwords list clearly shows many users continue to put themselves at risk by employing weak and easily guessed passwords.
For comparison’s sake, below are LinkedIn’s top 10 worst passwords, which they revealed after a 2012 hack where 117 million user’s details were stolen. Although, it doesn’t look like the password lesson was taken to heart, the top spot mirrors SplashData’s most current winner of the worst internet password. The two charts, made four years apart, share multiple other repeat offenders, like “qwerty” and “111111.”
The impact of passwords on productivity
Aside from creating weak passwords, the use and misuse of passwords can be costly to organizations in a number of ways. Productivity issues pop up when workers forget their passwords and can’t gain the access they need, until they get a password reset or notification from the IT department. The other productivity impact is on the IT department itself, particularly the help desk or other support staff who need to address the problem of forgotten passwords, rather than deal with other, more pressing issues.
Then there’s the issue of passwords that expire and need to be reset on a regular basis as part of corporate policy. This routine seems benign and even helpful, but it still removes employees from other productive tasks. It can also increase the instances of users forgetting passwords. Given that many people forget passwords, yet rely on them to gain access, a lot of users write them down, further weakening a company’s security protocol.
Improving the problematic password
Fortunately, IT vendors are delivering ways to ease the pain of passwords for users as well as managers.
For example, in early 2015, Microsoft announced that Windows 10 included a feature called “Windows Hello,” a biometric authentication capability that provided instant access to Windows 10 devices without the need for a password.
With Windows Hello, a user just needs to show their face, or touch a finger to devices running Windows 10. They can then be immediately recognized, and gain access. The system also enables users to authenticate applications, enterprise content, and certain online interactions, without a password being stored on the device or in a network server.
Intel True Key
Intel also unveiled similar technology earlier in 2015 that’s designed to decrease or eliminate reliance on passwords. The offering, True Key from Intel Security, is an application for authenticating online identities.
Users can install the app on a smartphone, tablet or computer. As they navigate apps, websites and devices, it helps them choose stronger passwords, and makes creating them effortless via a password generator, military-grade encryption and multiple advanced-security technologies.
True Key also uses biometrics factors, such as facial recognition and fingerprint scanning, on supported devices, which include iOS and Samsung phones. This allows users to log in to devices securely, and move across websites without having to enter a password.
Intel says True Key removes the hassle of having to remember passwords, and instead, instantly logs users into apps, websites and devices, while relying on multiple factors that are unique to the user.
The company has also introduced a family of hardware and software products called RealSense. One offering, the RealSense 3D camera, is what Intel calls the first integrated 3D depth and 2D camera module that helps devices "see" depth much like the human eye does.
The RealSense 3D camera features a depth sensor and a 1080p color camera. It has the ability to detect finger level movements, enabling highly accurate gesture recognition, as well as facial features for understanding movement and emotions. Intel says the capabilities of RealSense, in combination with True Key, elevates biometric security to a new level.
The camera will be integrated into a growing number of Intel-based devices including tablets and notebooks.
Yahoo On-Demand Passwords
In another recent development, Yahoo announced a product aimed at making it easier for users to access its email application via passwords. The new technology, On-Demand Passwords, is designed to make it simpler for users to log in to their Yahoo email accounts.
Developed for people who tend to forget their email passwords, On-Demand Passwords are texted to a user’s mobile phone. As a result, users no longer need to memorize difficult passwords to sign in to their Yahoo accounts.
With the new password feature, users can now sign in to their Yahoo.com email, access the account page, select “security,” and click on the slider for “On-Demand Passwords” to opt in. Once users enter a phone number, Yahoo texts a verification code. Entering the code online grants them instant access to their online email account. The next time a user signs in to the email app, Yahoo automatically sends another password to their phone.
Google Password Alert for Chrome
Google has also joined the password-improvement movement, launching Password Alert for Chrome. The tool alerts users when they enter a password on a phishing website that is mimicking Google.
The sad future for passwords
It’s possible we're witnessing the final days of user names and passwords, according to Jan Valcke, president and CEO of VASCO Data Security, who wrote about the subject in an article on IDG Connect. "We are seeing the final days of user names and passwords as hackers drive the industry to more secure methods of authentication. One-time passwords are the key solution."
There’s no doubt we’ll see more password innovation in the coming months and years, including the possibility of passwords being replaced by brain waves, explains a forward-looking Tech Crunch article. Until then, IT vendors will continue to invest a lot of time and money into addressing a fundamentally dysfunctional password protection system.
Have your business security needs grown beyond your capabilities? Let Insight’s experts help you tackle these challenges. Contact us for help keeping up with the continually changing threats today.