We are swimming in passwords. We have too many password combinations to manage and most of us are overwhelmed by trying to remember just exactly how to get into our most basic systems – email, for example – just for us to do our jobs that there’s little left to do but toss our arms in the air, or write these passwords down and paste them all over our desk and office.
Based on my experiences, most of us are required to remember between four and seven password and login credential combinations. It’s not unheard of for some of us to 12 or more login combinations.
However, even with this many credentials, are we really using them correctly or efficiently? According to a recent UK government awareness campaign, most of us are leaving ourselves at risk of identity theft, fraud and extortion by not taking simple, but necessary steps to protect ourselves online. Also, supporting what most of us already know, more than one in three (35 per cent) said they struggle to remember strong passwords. No surprise here.
Additionally, more than 95 per cent said they take responsibility for their own security online, but nearly 50 per cent admitted using particularly unsafe passwords like notable dates and the names of their pets. The UK also recently pledged £860 million across five years as part of a plan to respond to online security threats.
There are some surprisingly easy steps to take to better protect yourself from breach. Don’t use default passwords that come with devices, such as routers. Amazingly, many people do not bother to come up with their own passwords.
Avoid words found from the dictionary and anything associated with you as an individual like maiden names and the birth dates. Passwords should not be written down, of course. No Post-it notes with passwords written on them for the world to see. This scenario reminds me of the time when a law enforcement official in Holland was interviewed at his desk about a case he was working on. On screen, behind him, was his computer monitor, with his user name and password taped to it for all to see.
Also, always try to change the default username and password on anything you buy. Make passwords complex. Passwords, like a series of characters that are strung together and make no sense, can be valuable. Substitute a “3” for an “E” or a dollar sign for an “s”.
Don’t choose words you’re associated with, such as the name of a pet. Also, perhaps use different passwords for different sites and systems, as is often discussed, though it’s tedious. The Government Communications Headquarters also released new password guidelines to go by. According to its report, “Password guidance: simplifying your approach”, complex passwords are no longer recommended, however. According to The Guardian, the agency is recommending the use of passwords made “from three random words, using password managers and jettisoning overly complex password rules in favour of systems capable of detecting unauthorised activity.”
The suggestions seem sensible at face value, allowing users to remember passwords and not forcing them to reuse complex strings of letters, numbers and special characters for many services because they can only remember one or two. No matter your particular feeling toward the agency, which has been accused of snooping on the peeps, its password guidance is not particularly off base. “Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users,” said Ciaran Martin, director general of cyber security, told the newspaper.
Some of the advice offered to consumers - the same that can be picked up and taken down field by their business peers - include common sense guidance, such as making sure to reset all default vendor-supplied passwords that come with any system or software and never sharing your password with other users”. You’d be surprised at how many times business IT leaders actually use the default passwords that are provided for use only the moment it comes out of the box.
GCHQ also recommends having higher levels of security for administrators and remote workers, who, it says, should be forced to use two-factor authentication to protect their accounts. A solid choice, especially for business, two-factor authentication requires securing the primary login using a pass card or biometrics. Thus, users log in by presenting a pass card/biometric to an electronic reader and entering a PIN code rather than the standard username and password. Combining a pass card/biometrics and a PIN code ensures a much stronger authentication, minimising the possibility of a network breach.
Or, another solution to simplify the process further is deployment of an enterprise single sign-on manager that offers full integration with all common two-factor authentication readers, proximity-based devices and RFID readers. One login means employees only must login on account and all others are opened when needed during the session.
And, before you begin to suggest that one password is less secure than many, remember that the more passwords have to remember them so they likely write them down and store them near or around their computer. With only one credential to remember, people are less likely to store it insecurely.
Each of these solutions will help organisations achieve the desire affect – better use of passwords that actually help protect their own information, as well as the information of their organisations. Even though we’re swimming in passwords, these are some simple ways to drain the pool.
Robert Doswell, managing director, Tools4ever UK