Are you managing your passwords?

Posted by Tom Colvin (CTO), 19 Feb 2014
The average web user’s experience of the security of the internet is defined by the use of login details including passwords. Memorable character strings are the (almost) universal means to access the important day-to-day web-based services we need to live our lives and fulfil our various roles.

All commonly used websites like Facebook, Twitter, LinkedIn, Wordpress and GMail require some form of authentication to access services and important personal data.

More importantly - online banking services, mobile devices such as phones and tablets, along with personal and office computers require similar login authentication to access. Therefore the range of different user credentials for differing sites is rapidly increasing, resulting in the average user needing an ever increasing list of login details.

Recent news reports have been damning to the reputation of the password. Several large data breaches, at Adobe, LinkedIn and the game website RockYou have all involved the theft of login names and passwords.

The recent breach, which saw over 2,000 users’ accounts hacked and subsequently posted to a popular text-sharing site, marks a period where the humble password has a lot of explaining to do as it falls short of the requirements needed to secure data. Some might say, ‘once again!’

As these data breaches continue and the resulting information is published online, various places on the internet are becoming repositories for a growing volume of readily accessible private data.

The main element playing on the effectiveness of a password is the human one. Lazy duplication across accounts and common password usage is a massive problem. Internet users need to fundamentally understand that by using the same password on different sites, any breach of the any one will naturally permit access to all the others.

In real terms this means that a worryingly large number of internet users are entrusting their valuable private information to a variety of services but protecting that important data with relatively weak passwords.
According to mobile software firm SplashData ‘123456’ has recently overtaken the term ‘password as the most frequently used password across the web. These two commonly used passwords dominate the ‘Worst Passwords of 2013’ used by the average internet user. In addition, ‘qwerty’ comes in at number four, ‘iloveyou’ at number nine and ‘admin’ is a new but very common addition ranking in at number twelve; not forgetting, of course, the infamous ‘letmein’. 

So what can I do?
What we are seeing here is a fundamental attack on passwords themselves. Hackers are simply exploiting the fact that people use the same password for every account, by trying the same leaked address/password combination against multiple accounts.

Essentially, it is important to not generalise a password to fit across a number of accounts and to keep those passwords as impersonal as possible. Long passwords which feature a combination of upper and lower-case letters, numbers, and other random characters will also reduce the likelihood of your data getting into the wrong hands.

As the number of vital web-based services increases, passwords become more difficult to manage as a host of complex passwords simply cannot be maintained accurately by the average user. It begs the question – is there anything that can actually replace the password and make our online experience easier?


Post a Comment