It may have been world password day recently, but people need to do more to up their own security settings.
May 3rd was World Password Day, whatever the feck that means. I couldn’t find any greetings cards in my local Pound Shop that covered it, which is probably just as well as I couldn’t afford to buy one for all those folk with easy to guess passwords or ones re-used across multiple services. Which I guess is the point of the thing, reminding people about the importance of password construction and usage. I’m minded to suggest that a designated day once each year really isn’t enough when it comes to getting the secure credentials message across. That’s something that needs to be bashed home at every given opportunity, sadly.
I wouldn’t go so far as Brett Beranek, the Director of Product Strategy (Enterprise) at Nuance Communications, who reckons “the days of the password as a security measure are over; knowledge-based passwords are soon to become a chapter in the history books.” Complex and strong passwords still have a part to play, but that part has to be somewhere in the multi-factor authentication process rather than as the be all and end all of the credential chain. Most of us are now pretty comfortable with biometrics, be that a fingerprint, iris or even facial scan, for unlocking smartphones, tablets and some higher-end laptops. Yet underneath that biometric layer, there remains the password (or PIN) and you will find yourself requiring this after any cold-boot.
53% haven’t changed a password in the last 12 months even though a breach had been reported in the news media
Allen Storey, Chief Product Officer at Intercede, seems to agree with my stance. “If anything, World Password Day highlights that we’re still not taking security seriously enough. More robust, readily available alternatives are still being overlooked. The right security methods are out there and incorporate two of three distinct elements – possession (something you have, such as a smart card or smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, such as a fingerprint or face ID). These multiple levels of authentication make it much more difficult for cybercriminals to compromise; all it takes is a willingness from companies to implement.”
I’m a huge fan of multi-factor authentication, and have been using a combination of passwords, biometrics and other tokens such as code generators in hardware or software, for the longest time. It is, to paraphrase Peter Kaye, the future. Directly quoting someone else, the great William Gibson no less, “the future is already here, it’s just not very well distributed.” Passwords are likely going to remain for quite some time yet, and that means we need to focus on getting the real secure credentials message across.
At the risk of this article turning into some kind of cliche-a-thon, knowledge is power. So I was interested in having a read of the ‘Psychology or Passwords’ report from LastPass. Subtitled ‘Neglect is Helping Hackers Win’ this newly published analysis of its global research gives some insight into the realities of password habits. To cut to the quick, despite all the publicity surrounding major breaches over the last couple of years, password user behaviour remains much the same as it was in 2016 when the previous LastPass report came out.
It comes as no surprise to discover that 91% of respondents are aware that password re-use is a security risk, yet 59% still do it anyway. Or how about this one: 53% haven’t changed a password in the last 12 months even though a breach had been reported in the news media. In the UK, some 58% reckon there’s ‘no way’ a hacker could guess one of their passwords by gleaning intelligence from social media platforms.
My own master password, for example, is in excess of 25 characters long, random, uses upper and lower case, numerics and special characters
So what’s going on to create this environment of numbnuts non-compliance with the security basics? The single biggest reason have for password re-use is, unsurprisingly, a fear of forgetting the thing. Perhaps more worryingly, and not that far behind it, the second biggest reason was ‘wanting to be in control’ of all their passwords. The latter really takes the biscuit as such behaviour is, of course, highly likely to lead to the user being totally out of control both their logins and their data. Both could be easily fixed by using a password vault of some kind, which I guess is why LastPass publishes such research in the first place.
Yet, allowing for the Mandy Rice-Davies Applies (MRDA) nature of the beast, password management is something we should all be taking seriously and we should all be encouraging our colleagues, friends and family to embrace. By doing so they can start using a different long, complex and truly randomly generated password for every account, every service. That these are not memorable doesn’t matter, as long as they remember the master password that unlocks the gateway to the vault. My own master password, for example, is in excess of 25 characters long, random, uses upper and lower case, numerics and special characters. Yet I can remember it because muscle memory is a wonderful thing. I memorise the first half a dozen characters and the rest come as if by magic from my fingers without me even realising it. To be on the safe side, that master password is also stored in an encrypted format in a couple of locations where I can access it if needs be. Of course, I have to remember another password for each of these but using a (rather lengthy) passphrase works well in this regard.
Another finding from the LastPass research was that, in the case of 47% of folk taking part, there is no distinguishing between passwords created for home or business usage. Only a mere 19% said they create more secure passwords for work, and 62% use the same passwords for both. Actually, I am not advocating stronger passwords for work here. Which I accept you probably think is a bit mad. However, what I am advocating is equally strong, secure, complex and random passwords wherever they are used. Surely that makes more sense? Get people used to accepting the need for strong passwords combined with a secure usage hygiene and most of the work has been done.
Or at least you’d hope so. The research also suggests that saying one thing and doing another is commonplace behaviour, and that includes translating secure-thinking into secure actions. 72% said they were ‘informed’ regarding password best practices, yet 64% of these people still said being able to easily remember a password was the most important thing. Then there were the 91% who apparently recognised passport re-use as a security risk, with 58% of them ‘mostly or always’ doing so anyway.
“There remains a clear disconnect in users’ password beliefs and their willingness to take action” concludes Sandor Palfy, Chief Technology Officer of Identity and Access Management at LogMeIn (which owns LastPass) who adds “individuals seem to understand password best practices, but often exhibit password behaviours that can expose their information to threat actors.”
Ain’t that the truth, and it’s going to take a lot more than a Global Password Day to change that.