Identity is the foundation of trust: why passwords can no longer be relied upon
Identity is the foundation of trust: why passwords can no longer be relied upon

Passwords are one of the weakest forms of user authentication available, yet businesses continue to rely on them to protect important data.  Despite the ever increasing risk of a cyber attack, passwords are still being used as the key to corporate resources by most, if not all, businesses without much consideration.  Traditional passwords in the form of a string of characters that are used repeatedly to access one or more account can be considered to have five main failings, namely they can be shared, stolen, guessed, cracked and are notoriously hard to manage.  

It's clear that passwords are no longer enough and companies must look to more advanced, sophisticated methods to increase password security, enhance identity management and improve access control.

The failings of password security

The very nature of passwords makes them easy to share.  There is no real way to tie a user to a password – which means anyone can use that credential – whether maliciously or not.  While sharing passwords is something that employees can be warned against, another risk comes from how easily they can be stolen.  As cyber criminals develop more intelligent malware to attack systems and steal valuable information, it becomes harder to avoid credentials falling into the wrong hands.  Viruses, vandals and thieves make it extremely difficult to trust websites, applications and even e-mail – whether it comes from a ‘trusted' source or not. 

Despite the fact that we're warned time and time again, the most commonly used password is still “password” (or a variation of it).  It's both an easy-to-remember code and is often used as the default password for many web sites and software applications – making it extremely common and not at all secure.  As we use more online services and access more privileged systems that require passwords, the worse it becomes.   While more complex passwords are often required, attackers have developed methods to pre-compute the values to compare against, speeding up the time to break weaker passwords, if they can gain access to the password information on a system.  In an Adobe attack last year, more than thirty-eight million passwords were impacted – which shed light on a single password's lack of security.

Part of the problem is that having multiple passwords can be difficult for users to manage.  Industry studies show that the average user has to remember 20 or more different passwords for the various systems and applications that they use each day.  And as businesses become more connected, there has been an increase in the introduction of weaker passwords and users will try to keep the same easy-to-remember password across multiple systems.  The use of hostile malware such as keystroke loggers and other data mining applications allow adversaries to easily collect these passwords to gain remote access to multiple systems in the business and, ultimately, protected resources and privileged information.

How to handle the failings

Proprietary information loss, bad publicity and possible legal actions can be detrimental to the growth of a business – on top of the business interruption that occurs in the wake of a breach.

Identity is ultimately the foundation of trust. Without knowing who is using a particular credential, passwords cannot be relied upon as a method for accessing confidential information.  Proving the identity of someone when they try to login reduces this risk and provides greater assurance that they are indeed the intended party.

There are many different ways to attain identity assurance but one of the most efficient and cost-effective ways is to provide another factor of authentication – verifying an identity with two different pieces of information in the form of:

•        Something you have – a physical device such as a security token, a smartcard or even a simple key

•        Something you know – information only the user knows, such as a personal PIN

Implementing stronger two-factor authentication provides the technical safeguards required to provide identity assurance.  As we move towards more mobile and cloud-based working, now is the time to implement stronger security parameters to keep corporate and personal information safe from the unknown.

Contributed by Dana Epp principal architect, security, identity and access management, Kaseya