While online identity remains a tough nut to crack, it becomes clearer every day that we must move beyond using passwords sooner than later. Passwords have several weakness that leave corporate users, consumers and the online world at significant risk, because at the end of the day they rely on shared secrets between you and another party. The problem is: these secrets aren’t so secret after all.
There are multiple weaknesses to passwords in both their functionality as well as how we use them and they fall into three main issues:
Passwords are easily hacked and reused. The passwords we use to verify and access our online identities are highly susceptible to being lost or stolen by hackers. As we’ve seen in recent years, they are not secure and aren’t keeping our information safe. Many of recent large scale data breaches include the loss of passwords, which give hackers valuable information they can use to gain entry to personal, corporate or financial information. Although a company may have employed data encryption on the stolen passwords, if the encryption is weak, a skilled hacker can quickly decipher it – leaving them completely exposed. Worse yet, the rampant re-use of passwords on multiple sites means there is essentially a single point of failure for an entire online identity. If a hacker can compromise the password on one account, they can get the key to unlock everything.
Recovery is flawed. If a user loses or forgets a password, the traditional method of recovery is asking a series of questions that only the real owner should know. Unfortunately, these are basically additional passwords that often can be easily guessed based on information about a person that can easily be found online. Hackers can also steal individuals’ passwords through the use of social engineering. This process often involves exploiting the people with access to your information. Two high profile cases of this included the stealing of the Twitter identities @N and @mat.
People use weak passwords. Password creation is usually left to users, but we typically do a poor job of creating strong password. You would be surprised how many use 1234 or love or qwerty as passwords. This often leads to brute force attacks that test a series of most common passwords against usernames.
The good news is we are starting to see a number of alternatives. Two powerful agents of change: computer in pockets that are natural extension of our identity and are also integrating fingerprint biometrics to make it even more secure.
In the next article in the series, we will share more about these promise new technologies platforms that may lead to the death of the password sooner than later.
Want to learn more? Check out Symantec's Vision 2014 slideshow presentation: Getting To A World Without Passwords.