Using passwords for authentication

Recently when researching form my Masters project I came across some studies about users and password use.  I think we now know that passwords should be dead and replaced / augmented by something better such as two factor authentication using token or biometrics.  However many systems still rely on usernames and passwords.

In terms of business, in order to improve security many companies now add two-factor authentication when logging in remotely so the user enters their username, some sort of pin or password and a value from a hardware or software token.  This helps with the issues around passwords when remotely logging into systems such as when working from home, it does nothing to improve the security of logging in with just a username / password in the office.

The traditional assumption has been that it is OK to use just username / password when logging in from a more secure location such as the office when you are already connected to the trusted network.  Assuming your business uses modern operating systems that employ salted hashes for any password storage or transmission the issue it not with someone malicious managing to ‘sniff’ the password while it is in transit, or getting hold of the password store.  However what of the users who use the same password for multiple systems?  If your users log into insecure web sites using the same or very similar passwords to those they use to log into the secure business systems?

Studies have shown that nearly all users re-use passwords.

In addition users will tend to use the least complex, easiest to remember password possible – so while your businesses chosen level of complexity may have a password space of xxxxx passwords, the users passwords may actually tend to occupy a much smaller space, or be easy to guess despite meeting the password complexity requirements.

People will also tend to write down passwords that are too difficult to remember easily.

So I’d strongly recommend moving away from just relying on passwords and utilize some form of multi-factor authentication even within the office environment.  This is not as difficult as it may sound – most (all?) modern operating systems support multi-factor authentication out of the box.

If you cannot move away from just relying on passwords then a use education program is a must.  A good password is not just a complex one, it must combine complexity and being difficult to crack with also being easy to remember for the user.  If users can understand both the password policy and the rational for that, along with ways to come up with strong passwords that are easy for them to remember this will lead to a more secure environment.

Interestingly, we again come around to user education and training being a key component of a defense in depth security strategy.

K

Advertisements

Author: Kevin Fielder

Innovative and dynamic security professional, with a passion for driving change by successfully engaging with all levels of the business. I am a determined individual with proven ability to provide security insights to the business, in their language. These insights have gained board buy in for delivering security strategy aligned to key business goals. This is achieved by understanding the need to drive change through people, process and technology, rather than focusing exclusively on any one area. I take pride in being a highly articulate, motivational and persuasive team-builder. I have a strategic outlook with the ability to engage with and communicate innovative and effective security solutions to all levels of management. Along with a proven ability to translate security into business language and articulate the business benefits I am also passionate about leading security innovations and making security a key part of the business proposition to its customers. Security should be made a key differentiator to drive sales and customer retention, not just a cost centre! Outside of work I am a proud husband and father to an awesome family, and a passionate CrossFit coach and athlete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s