By Dave Worrall, CTO at Secure Cloudlink
The explosion of businesses transacting online, social media sites, mobile devices and applications in the workplace has led to each of us being faced with the challenge of needing to remember more usernames and passwords than ever before. Add to this the complexity of new cloud based applications, the rise of Shadow IT as well as BYOD, and the world of the IT manager suddenly becomes one of risk management, and for the end user a never ending rigmarole of trying to remember passwords.
Many will present unique and quirky ways to manage the password process, however, an often more obvious, yet not widely discussed solution would be to do away with passwords altogether. On the surface this idea seems incomprehensible but digging a little deeper and the argument certainly has merit, especially when you consider that most password security systems for business applications and websites are largely flawed.
Designs that were once acceptable a decade ago have simply not been updated. Instead of trying to find better solutions, the IT industry has continued to operate under a system of password acceleration across multiple, often incompatible systems. Suppliers who feel no pressure to do anything new or better increasingly expose end users to security threats. We only have to look how criminals used SWIFT messages to steal $81 million from the Bangladesh Central Bank to understand the security risks organisations and individuals face.
The growth of passwords – enhanced by even more people coming online and rising numbers of connected devices – is leading to greater threats to our online security. The recent news that over 100 million LinkedIn passwords, sourced from a breach four years ago, are now for sale should act as a stark reminder for individuals and organisations of the flaw presented by passwords.
What are the main challenges of passwords and how can individuals, businesses and security experts overcome these?
The challenges of the Internet
The Internet was created for resilience and information sharing, and it included very early on the concept of an ID and password security system, but did not provide the necessary encryption to protect them. Consequently, passwords are usually transmitted unprotected and could even be sent with every page that needs access to a password protected area, meaning an attacker is largely left uninterrupted to try and crack it while the site is live.
You could pick a series of complex passwords for a number of different apps, thereby making it ‘strong’ in terms of it being guessed. However, the risk is that if a site is hacked and the website or server doesn’t store passwords in an encrypted format, then your personal details and corporate data are compromised. Even if passwords are encrypted, they can be stolen and the encryption can be cracked.
Human nature
Today each and every time we sign up at a new website, open a new app on our mobile device, or log in at work we are confronted with the challenge of what we should enter as a password. And here, our human nature comes into play – and in the process the inherent weakness of existing password protection is revealed.
Often, the easiest route is to pick a simple password that is easy to remember or we use an existing password. This means a user can access business applications and systems faster. However, this is where the issue lies. Passwords that are easily entered and remembered are fundamentally weak as they can be second-guessed and therefore compromised by a hacker, thus presenting another fundamental flaw.
The cost of forgetting passwords
Then there are also those who still sit at their desk with the password for their corporate network on a Post-It for all to see. Lose this and you will then need to contact the IT administrator for a password reset – costing both time and money to rectify. And then there are those who choose to create a mental algorithm as a password. But these are easily guessed and, since we’re all still human, the chances are the user may have created an algorithm they simply forget.
As if this is not challenging enough, computing power has increased so much that a simple graphics card can crack a strong password.
To counter the user’s attempt to make their own lives easier, password security systems adapted to ensure that passwords themselves were changed on a regular basis, compelling the user to create a new and different password, checked against a list of previously used ones. More sophisticated passwords have now been developed with enforced rules requiring them to be structured using letters and digits in non-repeating patterns. But the password itself still exists. What also still exists are the costs associated to the business when people forget their passwords.
Putting your enterprise in jeopardy
Security vendors and IT departments are therefore continuing to ignore the real problems faced by human beings – the very people using these systems in the first place. Some of the solutions that are now being developed include biometrics, password managers and single sign on (SSO), all of which have been designed to look and feel like you are not using a password. But the truth is you are, as passwords are masked from the user because whirring away in the background behind the user interface are programs that are doing what they have always done – transmitting a password.
Here lies the problem. Password sharing puts the enterprise at risk not only against data loss and the inherent loss of reputation and potential IP, but there are issues around license compliance and loss of revenue, no more so than for the so-called born-in-the-cloud SaaS providers. The imminent implementation of the General Data Protection Regulation or GDPR, will focus many a mind with its new mandatory fines and breach notifications.
Passwords have evolved into an untenable means of authentication due to the fundamental security vulnerabilities they present. Now is the time to look at solutions that eliminate the need for the password in the first place.
