Tom Pendergast, chief strategist, Security, Privacy & Compliance, at MediaPro, said organizations can and should have much more rigorous password policies. “Current policies set the bar far too low for complexity in passwords and don’t require multi-factor authentication, acknowledged as the best commonly-available solution,” he said.
Lanier agreed. “There are some really awful organizations, sites or services that can’t seem to move past the year 1998 with authentication,” he said.
“Things like not allowing certain characters, or limiting the length of the password to something ridiculously low, all because the developers, database admins, and/or designers are using outdated or deprecated mechanisms.”
Pendergast said he sees the same thing. “There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules. A surprising number of companies don’t use these basic password reinforcement functions,” he said.
And, Lanier noted that, “password managers are, of course, a huge boon for generating complex passwords without the fuss of having to remember them or write them on a Stickie note. This at least reduces the risk that a person might serialize their password choices. Certainly not a panacea, but for the average person, it’s a great idea.”
Still, as McDowell noted, even rigorous passwords can’t compensate for a person being fooled by a skilled attacker. “Many times, passwords are simply given away in a phishing or social engineering attack,” he said. “I saw a recent stat from the SANS Institute that 95% of all attacks on enterprise networks are the result of successful spear phishing.”
All agree that the weaknesses of human nature mean it would be better to move beyond passwords. But, as McDowell notes, human nature also requires that whatever replaces passwords must be, “easier to use than passwords alone.
“User experience is going to win over security every time so the key to building a secure password replacement system is to build ease-of-use into its foundation,” he said.
Until then, Lanier said, organizations should, at a minimum, not rely on passwords alone.
“At the very least, if/when that poor password gets cracked or guessed, two-factor authentication raises the bar for the attacker,” he said.
Sign up for CIO Asia eNewsletters.