According to Gary Buck, CIO and author of the 18-page e-book "Safe and Secure: Passwords, Security, Privacy, and all that stuff", "Vendors keep promising that passwords are a thing of the past. Apple and Samsung allow fingerprint recognition, Microsoft allow facial recognition in Windows 10. But we will need passwords for some time to come." Unfortunately, Buck is right on this.
The problem is, as IDC UK Research Director Duncan Brown says, "Passwords are inherently insecure, because they are easily guessed or phished, and because they are stored in a file that can be stolen. Take for example, the cases of Sony Pictures and Ashley Madison."
In fact, compromised passwords are the cause of many breaches that have been reported in the media in the last several years.
Payment information on forty million customers was exposed when Target got hacked in 2013; personal emails and social security numbers were taken from Sony Pictures when they were hacked in 2014; and six hundred thousand Dominos Pizza lovers risked having their pizza preferences revealed when Dominos was hacked in 2014.
Granted, these three companies aren't known for their high-tech prowess. But what's more alarming is when organisations employing the world's greatest engineers get hacked. Over six million LinkedIn accounts were compromised by Russian cyber-criminals in 2012; several celebrities were shocked when their Apple iCloud accounts were hacked and embarrassing photos revealed in 2014; and three million Adobe customers had ID, passwords, and credit card information compromised when Adobe was hacked in 2013.
But in the final analysis, it's not so surprising that even high-tech companies suffer breaches. After all, the problem doesn't always come down to a technical flaw. According to Kevin Mitnick, word-famous hacker and author of the best-selling book "The Art of Intrusion", many IT directors spend a lot of time on things like password length and password aging, when they could gain much more by protecting against social engineering, which is the practice of manipulating people to get information from them.
Mitnick says that when he was a hacker he used a combination of about 50% technical tricks and about 50% social engineering to break into enterprise systems. Mitnick says that the scariest thing is that people who work in the IT department are often the weakest link.
Two examples of how hackers use social engineering are
· Getting a hold of the corporate directory with phone numbers and indications of who reports to whom. With this information, a hacker can collect secrets through a series of phone calls and they can apply pressure based on organisational hierarchy.
· Phishing-for example, sending an email message asking the recipient to validate a password-is another common technique for getting people to provide information they wouldn't otherwise divulge.
Sign up for CIO Asia eNewsletters.