There have been many recent stories of major sites, such as Facebook, being successfully targeted by hackers , who have managed to collect thousands -- if not hundreds of thousands -- of users' passwords and other user-related information. While most sites claim to protect any personal data their users provide, many obviously struggle to fulfil such promises. And what about those that don't even try to take security seriously? When we sign up for a website, we assume basic security measures are in place, most notably that our passwords aren't stored in cleartext, but how do we know?
Passwords are no longer an effective means of authentication on their own.
Such issues put a spotlight on how many organisations need to review and possibly amend their password policies. Let's take a typical employee as an example: This employee is security-conscious and runs a firewall, as well as antivirus and antimalware software on his home computer; he doesn't share his password with anyone. He has several online accounts and is a member of various social networking sites. That's a lot of usernames and passwords to remember, so he uses the same password for all of them. To make life easier, he uses this password to log on to the corporate network too.
The password-protected sites and services he uses all claim to take security seriously and to keep personal details stored securely. But time and again cases occur where usernames, passwords and other personal details are stolen. And what about those sites that look genuine, but are merely a front for harvesting usernames and passwords based on the knowledge that most people use the same combinations for all their accounts? So our careful, security-conscious employee has unwittingly given up his logon credentials for your network and its resources to a variety of untrusted and trusted -- but not necessarily secure -- third parties.
This is the reason why network password security policies should state that network passwords can't be the same as those for personal use. This is hard if not impossible to enforce, but changes to password requirements can make it more likely, as well as make users more aware of the dangers of using a single password for multiple accounts. Most people use a password of six characters, which may include one number, but few use non-alphanumeric characters. By forcing your network users to follow password policy best practices that require eight or more characters and the inclusion of at least one numeral and one non-alphanumeric character, you reduce the chance of an employee using the same password they use for their personal sites.
I agree that this is hardly what enterprises would call a robust solution to the problem of lax password management, but it's a start. Passwords are no longer an effective means of authentication on their own. Authentication is the key to who gets to do what, and any network that has valuable or sensitive information should really be moving to two-factor authentication to avoid being compromised by password leakage. To resist trivial compromise of non-trivial data, authentication must be strong.
Organisations that require staff to carry an ID card should look at upgrading those cards to tokens for use in two-factor authentication. This would provide a centralized means to establish and enforce access policies for both physical and logical resources, greatly reducing the risks and costs associated with stolen passwords, as well as blending in with a system employees are already accustomed to.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.