The problem with passwords
One of the biggest challenges we face these days is the increased number of passwords each person has. There are passwords for online banking, accessing forums, work applications and even accessing school or nursery portals to check our kid’s development. It seems like there is a password for every occasion.
One of the big problems in Information Security is the large number of bad or repeated passwords that people use in their workplace. It is likely that people may also use similar passwords for their non-work logins as well, so the problem could be an increased risk to businesses as one person’s passwords could be a variation on a single password with a character or two difference – e.g. password12, password23 etc.
Complex or secure passwords are basically made up of a set of rules. Those rules can be provided by the supplier or employer in terms of what the password should be made up of and also how the system manages the password on their infrastructure (e.g. the number of allowed access attempts or expiration time of the password). The most basic part of the process that anyone can do, is to make sure that all passwords are:
- Of a suitable length – minimum 8 characters, the longer the better.
- Of a suitable complexity – mix of both numbers and characters, upper & lowercase plus special characters like ! or @
- Changed frequently – even if you are not forced to change a password, you should do this anyway, every 1- 2 months if possible.
This usually means that people forget their passwords fairly regularly, especially if you have a lot of passwords. Always remember to register with a site or application’s password retrieval mechanism. some sites allow you to link your phone to change the password, most though allow email as a default – make sure your details are correct and if you lose your password you can get access as soon as possible.
There are ways of using password federation such as linking applications to a login system such as Facebook or Google, but that really depends on whether you use a compliant application and whether you want to take the risk if your main account is compromised – if someone gets into one account, then they can access all the subordinate accounts as well if no extra protection is provided.
One way to reduce the risk of passwords being compromised is to use multi-factor authentication. Basically this allows the individual or business to implement an extra layer or control that goes alongside a password. In terms of security there are three categories for authentication:
- Something you know; basically a password, pin or code of some sort that is unique to the individual
- Something you have; this covers smartcards, certificates or secure pin devices (e.g. fobs or one-time tokens)
- Something you are; this covers fingerprints, retina scans and other bio-metric checks.
What this means is that if you can use at least two of the types above e.g. a password and a smartcard, then you greatly reduce the change of someone getting access to your online accounts. Using this method is not always easy, but it is much more secure, especially if you store a lot of personal and important data on your cloud service.
Really what I have covered is well documented in other areas and many cloud or online providers of banking and email also allow you to use multi-factor authentication. I would really recommend looking at the risk of losing your data and making a decision based on:
- What would I do if my account was compromised?
- How could I get my emails or data back if this happened?
- What impact would there be for me financially if someone got into my online banking account(s) or got hold of my sensitive information?
- What impact would there be for my friends and family if my accounts were compromised and their information was disclosed? (email addresses or home addresses)
Just a few things to think about!