By Richard Dornhart, National Security Practice Mananger, Data#3
Passwords make me stop and think.
Typically, I am trying to think – “what is my password?”
I’m sure I’m not alone in this situation. I recently read the average user has 26 password-protected accounts but only five different passwords! I suspect this is because most of us cannot remember 26 different passwords therefore we reuse the same password over and over again.
I’ll admit, there are some clever people out there that have photographic memories, or an enviable knack for remembering strings of complex letters and numbers. However, for the majority of us, our passwords end up being a combination of letters and numbers that are simply easy for us to remember and repeated. We then typically change one letter or number every 90 days just to comply with the corporate password policy.
When it comes to Cloud based services, many of these sites do not even force a regular password change. How many people do you know that regularly schedule time into their diary to regularly change their Gmail or Spotify passwords? Those among us that are lazy probably rarely change these passwords. I am not saying everyone is lazy, I am just saying most of us have enough going on in life and changing passwords is not top of the list.
Passwords guard our valuable assets.
The scary truth is that today, passwords are typically all that stands between us and access to our most valuable assets; our money, super, credit cards, insurance, online storage, email, streaming music…and this list is getting longer. It sometimes seems like a daily event to sign up for a new service that requires a username and password.
In our corporate lives the same is true. There was a time when we only needed to log in once to our work computer to gain access to all the required resources we needed to do our jobs. Today, we are required to log in from multiple devices, access multiple applications, some of which are internal, some in hosted in Public Cloud environments and some delivered “as a service”. We are going through change at a rate we have never seen before.
What is interesting is with all this change, one thing has remained constant, THE PASSWORD.
In most cases we are still using passwords as the primary authenticator. I have noticed many sites now rate my password before I submit it. These sites tell me whether it is complex enough or not. Suggesting I use a capital letter, a number or a symbol before it will be accepted. This is not a solution, as a matter of fact it makes the problem worse. Now I have taken my old faithful password and added a capital letter, a number and a symbol. Guess what? The next time I need to use it I have no idea what it was.
So, what’s the solution?
One solution to this password sprawl gaining popularity is a password vault. This does work however, depending on the provider you choose, you may need to install and synchronise a client on your iPad, Surface, Laptop, iPhone and Desktop. All this just to support 8 – 15 characters. Password complexity is not the answer.
It’s time to KILL THE PASSWORD.
It’s time to adopt technology such as two factor authentication, one-time-passwords or biometrics. We should consider the opportunities these technologies can provide for us:
I believe there will be a day in the not too distant future where passwords will be history. For now, instead of using the same password and changing one letter every 90 days, consider a longer password like a song lyric or a favourite poem or phrase. As a general rule, the longer the password, the longer it will take to crack.
Go on and #KillThePassword.