From an authentication perspective, the basic principle behind a lock and key system is simple — only the person in possession of the right key will be able to gain access to the treasure hidden behind the lock. The modern day password is built on the same premise, where users' accounts are protected by unique passwords that are personal and private, which only users have knowledge of.
However, with the password system constantly under attack by cybercriminals, security vendors and providers all face the same challenge: when it comes to passwords, how do we balance the need for convenience against complexity, to provide users with the seamless experience that they demand?
In Singapore a password system used by many is SingPass, which citizens can use to access numerous government portals. SingPass works by using an individual's identification number, or NRIC, as a username to which they can create their own password. However, while each person's NRIC number should be confidential, the importance of safeguarding this personal data is often overlooked — by both consumers and businesses. In a recent case, hackers broke into a karaoke company's membership database and stole the personal details of hundreds of thousands of customers, before sharing them online for anyone to download.
With customer details such as NRIC numbers exposed, attackers only need to guess the password to gain access to a user's account. This could be done through brute force attacks, where attackers will try every possible combination of a password until they 'guess' the right one.
The effectiveness of such attacks are limited to sites that do not enforce a strict number of password attempts within a short period of time, or have a fixed format, but it still demonstrates the ease through which some password systems can be compromised. In addition, as the format of the NRIC number is known, attackers can still craft their own list of valid NRIC numbers and guess the passwords to gain access to users' accounts. If weak passwords were used, even enforcing a strict number of password attempts within a short period of time may not be an effective counter-measure at all.
Adopting multi-factor authentication techniques such as one-time passwords or iris and fingerprint scanning may provide alternate safeguard methods, but at times they may not be the safest options. The solution to protecting valuable information lies in users' behaviour, which is ultimately how we can prevent our personal online assets and identities from being compromised.
Here are a few best practices that users should follow to improve their security odds:
- Use unique passwords for each individual site you visit — a password manager, such as Norton Identity Safe, can help to securely store your passwords for online services.
- Avoid common passwords and use a mix of upper and lowercase alphabets, numbers and special characters — some websites even allow unique characters in multiple languages.
- If you suspect that your information has been compromised, change your password — it's also best to change your passwords regularly. Do not recycle old passwords!
- Where available, use two-factor authentication — Symantec's Validation and ID Protection (VIP) Service allows businesses to use two-factor and risk-based token-less authentication.
The bottom line is that we need to avoid a complacent mindset and make sure that we install proper security protection and develop positive safety habits, to prevent the loss or stealing of our personal information.
Sign up for CIO Asia eNewsletters.