Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Does your password stand up to the three year old test?

John Hines, Area Vice President, South Asia and India, Verizon Enterprise Solutions | Dec. 19, 2014
In a year full of data breaches due to exposed or weak credentials, John Hines, Area Vice President, South Asia and India, Verizon Enterprise Solutions discusses in this article the various authentication options available today, as well as their pros and cons.

Most parents of a three to four year old would tell you that their child can count up to ten. This is understandably a feat any parent would be proud of. However, this also means that a three to four year old is capable of rattling off two of the three most common passwords around - "123456" and "123456789", with "password" being the third.

The Adobe data breach of 2013 revealed that out of 38 million passwords, "123456", "123456789" and "password" accounted for 7.12 percent, or slightly more than 2.7 million. If any of those 2.7 million users have a child aged three or older, they should be feeling a bit uneasy knowing that their password is likely to be yelled out on a frequent basis.

Further analysis of the leaked passwords also showed that over 11 percent of people actually have the same 20 easy passwords. This means by simply having the 20 most common passwords at your fingertips, your odds of breaking into an account by brute force are looking pretty good.

With the Verizon 2014 Data Breach Investigations Report indicating that two out of three data breaches are a result of weak and exposed credentials, it is puzzling why organizations operating online do not implement rules that at least block the use of those top 20 or top 100 most used passwords.

The answer comes down to a combination of convenience and user laziness. It is safe to estimate that implementing rules that enforce the use of complex passwords would permanently chase away between 5 percent and 10 percent of customers who simply cannot be bothered to invent and remember anything complicated. No business owner wants to turn away customers.

Below is a rundown of the different identity authentication services available today and the benefits and challenges inherent with each solution:

Hardware tokens

For many years, banks and enterprises relied on combining username and password with a one-time number generated by a hardware token, and until recently, this had proven to be one of the most secure and convenient ways of authenticating user identity securely. However, the high cost of the tokens and the need to physically distribute them made this technology economically unviable for widespread consumer use. When you add to the equation the fact that people lose their tokens, leave them in their pockets when they wash their clothes or the token's batteries die, it is no wonder that we have seen a steep decline in the use of hardware tokens overall. The cost and logistics are too much of a burden for universal adoption.

Knowledge-based questions and answers (KBA)

Knowledge-based authentication is often used as a way to "unlock" yourself from a situation where you have forgotten your password. However, many people don't want to provide honest answers to personal questions like "Who was your first partner?" and often fill in fake details, which they promptly forget. For those who do answer the questions correctly, there is also bad news - data breaches at KBA providers have weakened the system severely by revealing "personal knowledge" information to cyberattackers. While a well-designed KBA-based system can be helpful in some specific situations, it is not a good alternative for strengthening everyday website authentication.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.