The importance of setting strong passwords is hammered into us every week. We visit websites which have registration forms that tell you how secure your chosen password is. We hear about it on the news. We see it in emails we get every few months reminding us to update our passwords. So, you'd have thought by now, that most people use somewhat strong passwords, right? Unfortunately that's just not the case, and it's quite likely that insecure passwords are some of the largest vulnerabilities that exists in your organisation.
Let's take a look at Adobe's data breach. It was a widely reported security disaster, whereby ~150 million encrypted passwords were leaked, creating one of the biggest crossword puzzles of all time. It didn't take long for people to start trying to crack it, and within no time at all, a list of the 100 most commonly used passwords were released.Of the 150 million leaked passwords, 1.9 million were "123456", 450 thousand were "123456789" and 350 thousand the famous "password". In total, 5.96 million of the passwords leaked were in this top 100 list. About 4%. Now, if people are doing this with their online accounts, what about their computer passwords? Company email credentials? Intranet login details? Accounting software logins?... It doesn't take much for an attacker to test 100 common passwords against a few hundred employees. How long will it be until they find a match, and compromise your systems? Not long. What's an organisation to do about it, though? Weak passwords are a lot like the flu of information security. A persistent problem that we don't seem to be very good at solving. Lots of promising options have so far been slow to replace passwords, but there are a few reasonable options available to organisations.
Single sign-on is all about reducing the number of places your employees need to login. Combining systems so that one remembered password is enough. This means that all employees can use one secure password for their single sign-on login, and not have to worry about any others, resulting in more secure password choices. The great thing about single sign-on is that it also simultaneously improves productivity. Employees spend less time trying to remember usernames, passwords, and phoning up IT, and more time doing their job.Of course, single sign-on isn't without its risks. If an employee's main password is compromised, all of the systems they can access is compromised. This means that educating employees on secure password best practices is vital.
Biometrics are taking off slowly, but offer an excellent opportunity for organisations to eliminate passwords altogether. There are still issues, for example Lenovo's ThinkPads had fingerprint scanners for authentication that were great for a while, but once the sensors got dirty it took countless swipes to gain access, and a whole load of user frustration. That's far from perfect.One promising area in biometrics are voice recognition tools. There's some impressive technology around like Nuance's voice biometrics solution that allows employees to authenticate themselves with their voice.
Bringing it Together With Two-Factor Authentication
Perhaps the most favoured way to improve password security is to combine more than one authentication method. If you're going to use single sign-on with a password, combine it with a second method of authentication. For example, when someone signs-in, send a text message to their mobile phone with a unique number they need to input to login for that particular session. Another two-factor option available is to combine a single sign-on password with biometrics. How about having users use voice authentication in addition to their password?Two-factor authentication makes life much harder for attackers. It's a much bigger challenge to acquire both someone's password, and full access to their mobile phone, or a password and their voice for authentication. So don't let password security get swept under the mat. Think about how your company manages employee passwords, and what can be done to improve the situation. It's too big of an issue to be ignored.