The problem with simple passwords

The issue of passwords is something of an evergreen problem for technology users. People often choose obvious, simple passwords that are easy to remember. Research has shown that a group of 10,000 words are used by 98.8% of people as passwords. This means that a hacker with software written for the purpose could automate the process of trying every one of these, something known as a ‘brute force’ attack, and would be certain of being able to hack into almost 99 out of every 100 accounts.

The attacker could shrink the time taken to one-tenth and still hack more than 90 out of every 100 by using a much smaller pool of words because 91% of people select their passwords from a group of just 1000.

Despite the security risks, many choose simple passwords for their personal accounts. However, such an approach is unacceptable to businesses and may conflict with organisational IT security policies. The issues attached to simple and complex passwords mean it is often highly unsatisfactory and companies are likely to face the situation where users are frustrated or IT security is lax.

The problem with even complex passwords

Password best practice often requires people to remember multiple, complex random strings of characters. So they write them down, sometimes they stick them on the wall or on the edge of their monitor, once again, bringing themselves into conflict with IT security policies.

Of course, password changes can be forced on users, perhaps every 30 to 90 days and they can be prevented from reusing the last 10 passwords; today many systems advise on password strength when passwords are being first set up or changed. However, such methods may seem heavy-handed and may lead to users being locked out of accounts, creating problems for IT support and reducing productivity for the firm.

Remembering a password is part of the problem. However, there’s much more to it than this.

A user may reuse the same password for company system logon and for websites they like. A website is hacked and account details of users are stolen, such as in the infamous and ongoing Ashley Madison scandal. (IT security researchers that analysed the leaked data managed to crack 11 million of the user passwords.)

Even if it’s very complex, the attacker now has the user’s familiar password and can try to use it elsewhere. An obvious place to start is the domain associated with the email address. Often it just follows the familiar form: username@users_employer.com. You can guess the rest!

If it’s not the users business email address, often hackers turn to social media - it’s not difficult to use Facebook or LinkedIn to track down where someone works.

Another common hack is enabled when people logon to access business accounts from unsecured computers, such as home PCs, personal iPads and hotel computers. Unsecured devices may have keyloggers installed which report login details back to hackers. The rest is easy!

End password problems with OTK and Two Factor Authentication 

Two Factor Authentication(2FA), also known as Dual Factor or Multi-Factor Authentication defends such hacks. 2FA is a security system that means that in addition to a password, users need to provide another piece of information. There are a few examples:

• Asking questions to which only the user knows the answer
• Entering information from grid cards
• Biometrics - fingerprints or retina scans
• USB keys or swipe cards

Probably, the most commonly used is a One Time Key (OTK) which can be generated either by a small device in the users' possession or by an app on their phone. This code is requested from the device when logging in and the code is entered into an additional field of the login screen. It doesn’t matter that a hacker has obtained the users' login credentials, without the OTK or the second factor it is impossible to access the systems.

Many have experience of two-factor authentication, especially users of personal online banking services. However, the benefits of securing user accounts with 2FA are applicable to more than just managing personal financials.

Most regulated organisations including governments and financial institutions now use 2 or even 3-factor authentication for accessing critical systems. In the past, cost considerations made this solution unviable for anything other than large organisations. Now the cost is very affordable, there is really no reason why smaller businesses cannot have the same security as big business or government. 

Businesses of all sizes benefit because costs may be as little as £1 per user per month. As well as securing the user accounts of current employees it is easy to remove access immediately when someone leaves by simply asking them to surrender the personal digital device.

Two Factor Authentication and ISO 27001 security from HTL Support

HTL Support is an ISO 27001 accredited company, and all our cloud solutions are in compliance with this internationally recognised standard for information security. Consider the benefits of securing a Serviced Cloud hosted desktop cloud-based IT solution with Two Factor Authentication?

To start finding out more about how the cloud slashes the cost and improves security simply get in touch today.

Click here to read our blog 'What does ISO 27001 accreditation say about your managed services provider?'