Centre d’abonnement

Des informations en temps réel du chef de file de l'industrie TI.

What’s the Deal With Passwords?

24 Jun 2015 by Bob Violino

User passwords are among the more maligned security mechanisms in the business world. This is largely because they tend to be misused and can actually end up becoming security liabilities rather than effectively protecting against unauthorized access to corporate information assets.

Many users do not take passwords seriously enough, and opt for convenience rather than vigilance when creating and using them. This can lead to passwords becoming the weak links of information security strategies.

Given this scenario, what’s the future of passwords? They will not likely go away any time soon, because of the prevalence of the password concept for access to applications, online accounts, etc. But vendors are working to make it easier to use passwords, or to develop alternate access techniques that make it possible to avoid using them altogether.

The most prevalent problem with passwords

One of the biggest problems with passwords is that users choose easy-to-remember codes rather than truly safe entry points that would be difficult for an intruder to track. This makes sense, because it’s natural for users to want to get access to apps or accounts quickly and easily. And the typical user needs multiple passwords to gain access to different things online.

In its latest annual listing of the 25 most common passwords found on the Internet, SplashData notes that these "worst passwords" will expose anyone to being hacked or having their identities stolen. The fourth annual report, which the company compiled from more than 3.3 million leaked passwords during the year, shows that "123456" and "password" continued to rank at the top of list of most common passwords.

Simple numerical passwords have remained common over the years, and nine of the top 25 passwords on the list included numbers only. The list of often-used passwords clearly shows that many users continue to put themselves at risk by employing weak and easily guessable passwords, the report says.

The impact of passwords on productivity

Aside from passwords being weak, the use and misuse of passwords can be costly to organizations in a number of ways. There are potential productivity issues when workers forget their passwords and can’t gain the access they need until they get a password reset or notification from the IT department.

The other productivity impact is on the IT department itself, particularly the help desk or other support staff that needs to address the problem of forgotten passwords rather than deal with other issues.

Then there’s the issue of passwords expiring and needing to be reset on a regular basis as part of corporate policy. This is seemingly not a big deal, but still takes employees away from other tasks. It can also increase the chances of users forgetting their passwords.

Given that many people forget their passwords and rely on a number of them to gain access, a lot of users take to writing them down. Many a security and IT administrator has likely seen workers write passwords on Post-It notes and then attach them to monitors or desktops.

Improving the problematic password

Fortunately, IT vendors are delivering ways to ease the pain of passwords for users as well as managers.

For example, Microsoft in early 2015 announced that Windows 10 includes a feature called Windows Hello, a biometric authentication capability that provides instant access to Windows 10 devices without the need for a password.

With Windows Hello, a user just needs to show his face or touch a finger to devices running Windows 10 and be immediately recognized to gain access. The system enables users to authenticate applications, enterprise content and certain online interactions without a password being stored on the device or in a network server.

Intel also unveiled technology earlier this year that’s designed to decrease or eliminate reliance on passwords or make them easier to user. One offering, True Key from Intel Security, is an application for authenticating online identities.

Users can install the app on a smartphone, tablet or computer, and as they navigate apps, websites and devices, it helps them choose stronger passwords and makes using them effortless with a password generator, military-grade encryption and multiple advanced-security technologies.

True Key also uses biometrics factors, such as facial recognition and fingerprint scanning on supported devices, including iOS and Samsung phones. This allows users to login to devices securely and move across websites without having to enter a password, because the app does that automatically.

Intel says True Key removes the hassle of having to remember passwords and instantly logs users onto apps, sites and devices using multiple factors that are unique to users.

The company also introduced a family of hardware and software products called RealSense. One offering, the RealSense 3D camera, is what Intel calls the first integrated 3D depth and 2D camera module that helps devices "see" depth much like the human eye.

The RealSense 3D camera features a depth sensor and full 1080p color camera, and has the ability to detect finger level movements, enabling highly accurate gesture recognition, facial features for understanding movement and emotions. Intel says the capabilities of RealSense in combination with True Key will take biometric access to another level.

The camera will be integrated into a growing number of Intel-based devices including tablets and notebooks.

In another recent development, Yahoo announced a product aimed at making it easier for users to access its email application via passwords. The new technology, on-demand passwords, is designed to make it simpler for users to log onto their Yahoo email accounts.

Designed mainly for people who tend to forget their passwords when trying to access email, on-demand passwords are texted to users’ mobile phones whenever they need them to use email. As a result, they no longer need to memorize difficult passwords to sign into accounts.

With the new password feature, users can now sign in to their Yahoo.com accounts, access the account information page, select “security” and click on the slider for “on-demand passwords” to opt-in.

Once users enter a phone number, Yahoo sends a verification code. Entering the code grants access to email. The next time users sign in to the email app Yahoo automatically sends a password to a user’s phone.

Designed mainly for people who tend to forget their passwords when trying to access email, on-demand passwords are texted to users’ mobile phones whenever they need them to use email. As a result, they no longer need to memorize difficult passwords to sign into accounts.

Google joined the password-improvement movement as well, launching Password Alert for Chrome. The tool alerts users when they enter a password on a website pretending to be Google.

Maybe we're seeing the final days of user names and passwords, as Jan Valcke, president and CEO of VASCO Data Security wrote in an article on IDG Connect. "We are seeing the final days of user names and passwords as hackers drive the industry to more secure methods of authentication. One-time passwords are the key solution."

No doubt we’ll see more password innovation in the coming months and years, including possibly passwords replaced by brain waves. Until then, IT vendors will continue to invest a lot of time and trouble to fix the fundamentally broken password system. And if we don’t get better at defense, hackers will keep getting better at the offense.