Blog: The problem with passwords
Johnston Carmichael’s IT audit manager, Andrew Davidson, explains why password security is important
Let’s say I walked up to you and said “I can guess your password”….
It sounds like some sort of magic trick. You’re probably thinking “Nah - you’ll never guess mine” and sit back smugly, waiting to see the trick.
Say for the moment that you’ve picked a good password (I hope you have). Your company policy probably enforces you to change this password every so often (90 days is common).
So how do you decide the next password? Many people find completely new passwords difficult to remember and so simply change a small component of their existing password.
What do you do?
Increase a number perhaps?
Change one letter?
Consider if someone had discovered what your last password was, how difficult would it be to guess your current one? In the majority of these cases it can be guessed within three tries, well below what normal “lock-out” attempts would prevent.
“I can guess your password” suddenly seems less of a challenge if they’ve somehow got your last password.
The whole reason we change passwords on a regular basis is not simply to annoy staff by increasing the risk of them locking themselves out of their own accounts. The aim is to reduce the risk of someone who might have learned your password from being able to use it at a later date or reduce the window of opportunity for them to “guess”. They may have seen you type in portions of it and over time be able to see enough to figure out the whole thing. Changing the password regularly should reduce such risks.
But if our passwords are only one digit away from the previous one then there’s almost no point in changing the password at all. In this, the user has effectively by-passed the control. Predictability is the greatest gift to any hacker.
Part of the problem is that the simple act of having to change passwords is actually forcing us to make our passwords simpler so we can remember them.
The bigger problem with passwords
The key problem lies in the fact that we, as human beings, are not very good or creative at remembering passwords. Those of us who do create unique passwords often end up on the phone to IT to ask them to unlock the machine as they’ve forgotten it a mere day or two after creating it.
And when you multiply this by each bank account we have, online energy account, online shopping accounts, email accounts, mobile phone pin, bank card pin, broadband provider password… the list can go on for quite a while.
One online survey found that the average person has around 27 discrete online logins. However, there are a lot less than 27 discrete passwords for these. In some cases they all use the same password!
So what can we do about it?
There are many solutions to improve security. Two factor authentication and biometric logins are among some of the solutions but for those of us stuck with a single password, what can we do about it?
There are also many solutions to choosing a good password (a quick search through Google will give you dozens of methods). The best passwords are randomly generated characters, numbers and special characters and the longer the better. But these are not easily remembered and require password safes (such as “1Password” – a mobile phone password safe recommended to me by a group of ethical hackers).
For those of us with 27 or more passwords which we only use once a month or less then this is the ideal solution and it can keep your online presence secure (just remember to keep your phone with the app backed up so if your phone is lost you can still get the passwords back).