Opinion

Published

What’s in a password? Your staff may as well broadcast credentials to the world

7 Mins

“What’s in a name?” is the oft mentioned and overly famous line muttered passionately by Shakespeare’s Juliet Capulet to her star-crossed lover Romeo Montague.

A name is an artificial and meaningless convention, she says; she loves the person who is called “Montague,” not the Montague name and not the Montague family.

Really, what is in a name? Would a rose or dirt or a soliloquy do the same thing if each contained a different name?

What about “password”? Is a password nothing more than a name or number of meaningless characters truncated on the screen and required to “ensure” the safety of the user?

Or, are passwords merely artificial and meaningless conventions, like names, which Shakespeare so eloquently romanticised? 

Can these “names” (password combinations) put network security at risk? According to a somewhat recent (2011) report, passwords of employees are highly predictable, and, frankly, pretty easy to breach. The “names,” therefore, are pretty easy to guess. 

Thus, unfortunately, only one per cent of employee passwords are random sequence, and seem to true carry the moniker of their namesake – a true password. Most workers simply pick some relatively easy combinations of alphanumeric combinations that are traditional to them or easy to remember and pretend they are passwords.

Might as well broadcast their credentials to the world for all they do to put some effort into creating them. In laymen terms, most people usually use the same passwords for many, many user accounts, and these can easily be deciphered.

Therefore, the “passwords” they use are little more than bits of easily digested information that only claim to be a password in name alone; they are usually meaningless, of little good. As such, they place a network’s security at risk. 

Though it may be startling, millions (probably billions) of passwords exist merely as straw men. They divert the argument from the real problem and cover up the fact that most users have passwords simply to solve the problem of producing some name or term to get what they want out of the systems they must access. Proof is this is that a whopping 14 per cent of passwords found are as basic as a first name and surname combination: e.g, JohnSmith

Taking a look a more recent government survey, from October 2014, three quarters of Britons, for example, use passwords that are not secure, including the use of their pet’s name, their own place of birth or something related to a favourite sports team. 

The findings showed the most popular passwords are “Password” and “123456.” Not real passwords in the definition of the term.

Read more on security and hacking:

This data varies little from the 2011 data that stated eight per cent of passwords contained place names, most included the area where the person lived or was born (“LondonUK”); 14 per cent of passwords were purely numeric and in some cases consisted of consecutive numbers (“12345”); and 25 per cent of passwords were random dictionary words (“computer”).

Another eight percent or so were made up of keyboard patterns, short phrases, words within the email address and repeating words (asdf, myblackcat, @apple, redred).

 Simply put, don’t do this. 

Use different passwords across sites, and ensure that each of them contains different characters and they are not easily guessed. 

The results of these and other surveys provide concerning insight into how easily networks can be breached even when password complexity rules are put in place by system administrators.

These results also highlight the increasingly important role that identity and access management solutions are now playing in protecting businesses and organisations of all types against these risks, brought on by their employees and poor password protocols. 

As organisations continue to seek ways to pass on the password, they are beginning to find the value in enterprise solutions that can better, and automatically, manage these issues. For example, two-factor authentication requires securing the primary login using a pass card or biometrics.

Thus, users log-in by presenting a pass card/biometric to an electronic reader and entering a PIN code rather than the standard username and password. Combining a pass-card/biometrics and a PIN code ensures a much stronger authentication, minimising the possibility of a network breach. 

Or, still other solutions simplify the process further by deploying an enterprise single sign-on manager that offers full integration with all common two-factor authentication readers, proximity-based devices and RFID readers.

One login means employees only must login on account and all others are opened when needed during the session. And, before you begin to suggest that one password is less secure than many, remember that the more passwords have to remember them so they likely write them down and store them near or around their computer. With only one credential to remember, people are less likely to store it insecurely.

In such a case, the password will really be a password, in more than name, indeed.

Robert Doswell is managing director of Tools4ever UK, part of the worldwide provider of identity and access management solutions.

Share this story

How to keep your business relationships in order
If men supported gender equality we’d have happy families, more productive firms and better sex
Send this to a friend