The dangers of leaving password management in the hands of people

We all agree that there are more secure alternatives and other authentication methods that can complement and may even eventually replace passwords.

Perhaps unsurprisingly the top critical security control highlighted in the Verizon 2015 Data Breach Investigations Report (DBIR) was two-factor authentication (2FA). However, the password is going to be around for many years and we should be doing all we can to make passwords better.

For the vast majority of applications, they remain the only option. Although there is essentially nothing wrong with using passwords, barely a week goes by without a high profile data breach hitting the headlines as a result of weak or stolen credentials. In fact, a report from PwC earlier this year found that nearly three-quarters of UK small businesses have experienced a security breach – an increase on the 2014 and 2013 figures. And when the 650-or-so respondents were questioned further about the single worst breach suffered, almost one third of them cited human error as the cause. Essentially, users select passwords that are too simple, too short and too predictable.

Analysing actual passwords published from large scale attacks (including Sony and LinkedIn) show that more than 50 per cent are fewer than eight characters, 50 per cent contain only numbers or only letters, and only about one per cent contain a non-alphanumeric character. Cracking more than 80 per cent of user-selected passwords is relatively easy, even if they’re hashed in a database when stored.

To make things worse (for themselves), users reuse the same passwords across different systems and services. Attackers who gain access to one service can then sign in freely to email, social media, online shopping and even mobile phone and bank accounts. Despite attempts to educate people on the importance of using even relatively long, complex, random unique strings, they don’t. And they rarely change them.

So what is the solution to this age-old problem?

What if small businesses could improve the way passwords are implemented and take responsibility for selecting and changing them regularly away from the user entirely? Security – and the user experience – would be improved significantly.

As a first step, small businesses can cost-effectively implement automated password management practices to give employees the access they need, without them knowing or needing passwords to individual applications, through the use of a Single Sign-On (SSO) solution.

Removing human interaction with passwords and automating their selection and frequency of change is certainly a step in the right direction. This approach protects the small business by ensuring that if a large-scale breach does occur, then the stolen password is unique and not reused across multiple services. When applied to internal accounts on internal systems, it may slow down an attacker and even prevent a breach from happening altogether – safeguarding business information and integrity.

Ultimately, small businesses need to be more pragmatic in their approach to password management and security.

Clearly, the level of security required completely depends on the risk appetite of the organisation, but if you’re a small business with a mobile workforce that holds confidential information at the helm, an automated password management practice will significantly reduce the likelihood of sensitive information escaping the business.

Richard Walters, General Manager and Vice President of Identity and Access Management (IAM), Intermedia