The most common passwords are no secret: 123456. 123456789. 1234. Neither are the unsecured places where users “hide” them. On Post-it notes under a keyboard. In a three-ring binder. In a notes file on a smartphone.
But even security pros who keep their passwords complicated and don't store them in an unencrypted Excel document aren't completely safe. Hackers don't discriminate. And, if the headlines are to be believed, they're winning the password war.
A Russian group compiled a database of more than four billion credentials. A South Korean data breach impacted more than 200 million citizens. Millions of eBay users' credentials were put up for sale online.
Not that it's much of a war – although the spoils are significant – because passwords just don't cut it anymore. Think David up against Goliath, but without a slingshot in sight. When you're a hacker and the first line of defense is the conventional username/password combo, the odds are almost always in your favor. Still, organizations rely on them – and that makes it harder for IT security pros to keep their enterprises protected. One breach, or one intruder gaining access, can result in job loss and questioning of a security staffer's qualifications. CISOs have notoriously short life spans with one company, says Rick Doten, CISO at DMI, a provider of mobile solutions and service. “Mature companies learn from every incident, and constantly improve their posture. Other ‘not enlightened' companies just expect all the technology to work, and think the security team didn't buy the right stuff, or enough stuff to do the job. It's never a technology issue.”
Yes, changing user passwords every six weeks or so does mitigate some risk, but this strategy often makes the process too complex and employees won't use them simply because they cannot remember a string of random characters and letters. But, most organizations typically don't bother to make regular changes. In fact, a study by Los Angeles-based Lieberman Software found that only 53 percent of organizations update their account service and process account passwords on a quarterly basis.
“If passwords only get updated on a monthly or quarterly basis, think about the damage a cybercriminal can do in that time,” says Philip Lieberman, president of Lieberman Software, which provides privilege management solutions. “[It can provide] one to three months of unlimited access into an organization's critical systems.”
Randy Barr, vice president and chief security and information office at Saba, a San Francisco-area-based next-generation cloud solutions provider, looks at passwords as he does his toothbrush. “Use it often, and do not share.” Plus, change it frequently.
But, of course, there are always those employees who ask to be exempted from password changes – so maybe password rotations aren't the ultimate solution.
It might be time – actually past time – for the security community to start seriously weighing alternatives to passwords. Luckily, there are many...though choosing the right one for an organization takes careful planning and consideration of a host of factors, including organizational needs, solution complexity, implementation and budget.
The classic IT security conundrum – convenience versus security – inevitably pops up when considering any password alternative.