The password is dead. It’s time to admit it. After all, 75% of security breaches have been down to weak passwords and security experts have started to accept that even strong passwords aren’t good enough.
Security breaches have become a regular news feature. The recent hacks of user accounts at eBay, Ashley Madison and LinkedIn have highlighted the need more secure forms of authentication. More recently, TalkTalk users were told their data might have been compromised in a cyber attack.
Yet, it appears that, despite these well-publicised attacks, users and service providers are slow to tackle the issue of inadequate password protection head on. Cyber attacks are easier to manage, and much less likely to occur in the first place, when users are prepared.
Most Internet services can be accessed with just a username and password. Email addresses are often used as usernames, making it fairly easy for a hacker to find a valid login through brute force. The trend for businesses to use standardised email platforms (e.g. Gmail) is only amplifying security issues. To make this worse, passwords themselves come with several problems.
Is it a case of user error?
The number of active monthly Facebook users is almost 1.5 billion. Recent research found that a significant share of these users aren’t aware that they are on the Internet when using Facebook . This is particularly true of emerging markets, where the figure can be as high as 65 per cent. This may be explained, at least in part, by the fact that many of these countries have leapfrogged the fixed line connections a lot of us will have grown up with and moved straight to a mobile environment. That said, in the US, the share of those who didn’t know that Facebook is dependent on the Internet was still five per cent. This shows how the spread of the Internet across the globe has not been accompanied by an awareness of how it works, leading to low levels of IT security awareness.
Another factor is that people are still unconvinced that strong, unique passwords are essential to protect data. Unsecure passwords abounding, users are making themselves, and their employers – vulnerable to attack.
users are making themselves, and their employers – vulnerable to attack
Strong passwords are often seen as an annoyance and overly complicated. A ten-digit password with lower case, upper case, numeric and special characters is difficult to come up with and even harder to remember.
And frankly, when we entrust our bank balance to a four-digit pin, it is understandable that many wouldn’t understand why Facebook photos need to be protected with complex passwords.
Put it on a Post-it note
We’re told over and over again that our password shouldn’t be a pet’s name, date of birth or another easily guessed phrase. IT departments often set requirements for, or even generate, secure passwords for company IT services. The problem with these passwords is that they are only as secure as the way they are transmitted and stored. Passwords are hardly secure if they’re scribbled down on post-it notes and stuck to computer screens.
Slightly better than the pen and paper storage method, although just as far from secure, is when the generated passwords are emailed unencrypted to the user to be stored on their computer and mobile phone forever.
Situations like this don’t just happen in the office. When users sign up to websites outside of work, confirmation emails showing the username and password are sometimes emailed to the user, proving the password is stored, unencrypted, by the service provider.
It’s high time for 2FA
[easy-tweet tweet=”Passwords alone are no longer enough to protect data” via=”no” hashtags=”datasecurity”]
What’s clear from all of the above is that passwords alone are no longer enough to protect data. While PINs might seem like a very simple approach to protecting bank accounts, they are actually a method of two-factor authentication (2FA). It is based on the user having both the card, and knowing the PIN that goes with it.
2FAhas been around for many years but has mainly been used by large enterprises because of the cost of ‘tokens’ like RSA SecurID . With smartphones becoming more common, however, the cost of providing authentication devices can be reduced significantly. 66% of adults in the UK use smartphones, making them a cheap and handy medium for 2FA.
By using a combination of apps and algorithms, we can generate Time-based One-Time Passwords (TOTP) with the same security as a physical token. These passwords can be used just once and are only valid for a short period of time. They are created using a constant shared between the client and server, and a variable: time. Smartphone users can download a free app to their phone to generate TOTPs for multiple services.
While the number of people with smart phones is growing, 2FA can still be used by people without one. For example, text messages can be used to send one time use codes to users. You may have experienced this when asked to authenticate your Google account, for example. 93% of UK adults use a mobile phone so codes sent via SMS could be used by the majority of the population.
What’s next?
It’s clear that traditional passwords are no match for the sophisticated tools hackers now have at their disposal. The industry needs to encourage the migration towards 2FA by explaining the importance of strong authentication. More importantly, it needs to make 2FA more appealing to users by providing simple, easy tools rather than making people jump through hoops to secure their data.
The industry needs to encourage the migration towards 2FA
Some companies have already started to take this step. Some banks, for example, require 2FA to transfer money or log in to online banking. Several web-based companies have also taken this approach and made it as simple as possible for their users to get to grips with 2FA. Making the process clear and simple for non-experts is key to ensuring 2FA is used.
Two-factor authentication is not used widely yet, but it’s only a matter of time before it will be be seen as a must-have, not an optional extra, and become second nature for all of us. After all, there’s no such thing as being over protected when it comes to data.
Then the only issue that remains is ensuring that those we entrust with our data keep it safe at their end.
Stéphane Lesimple, Chief Information Security Officer, OVH
Stéphane first started using computers in the days of Amstrad, quickly becoming interested in security. These days, he can be found implementing the company’s security policy and anti-abuse tools as Chief Information Security Officer at OVH.