28 October 2014

Passing Comment on Passwords (Part Four)

A recent article in The Telegraph reported that this year 110 million pieces of data have already been illegally sold, representing a 300 percent rise since 2012. This data mostly consists of login credentials, essentially meaning username and password details.

Of course, the same advice is wheeled out, encouraging everyone to be more diligent and to change passwords more frequently. But personally, I do not have a free evening every two weeks that I can dedicate to changing every password on every online account I have! Meanwhile, Facebook is busy scouring the web to try and find out if our details have been compromised. But I would prefer it if efforts were focused on stopping it happen in the first place.

Asking people to regularly change passwords just isn’t feasible and we should have learnt by now that the majority of us just won’t do it. Even, if everyone did change their passwords regularly at best it would possibly reduce the ‘quality’ of the data being bought and sold.

Speaking at the Information Security Solutions Europe (ISSE) conference in Brussels last week the Head of European Cybercrime Centre (EC3), Troels Oerting, commented that most of the people who go online do not have a clue what they are getting in to and someone needs to protect them. Meanwhile, the former Cyber-Security Coordinator of the Obama Administration, Howard Schmidt, advised that we need better security to have less victims, but this makes it harder for people to do their jobs.

A recurring theme at the conference was the fact that still cybercrime has the potential to deliver high profit and at low risk of being caught, especially as much of it is conducted across national borders. So, all the while login credentials are easy pickings there is no reason to expect this to change. The positive feedback I can report is that there is much consensus among security professionals that we must move away from passwords, with recognition for initiatives such as the FIDO Alliance (of which Winfrasoft is a member) that is  working to balance improved security with user convenience. So, now the debate has moved on to how to achieve it.

 Adding layers of security is one approach and this week Google has been introducing its new security key, which is essentially a hard-token for 2FA. However, I suspect it won’t be on many peoples Christmas lists for two reasons. The first is that it is a token and that means I will need to carry it around with the other tokens I already have on my key ring. The second issue I have is that is it a USB and neither my smartphone or my tablet (the two devices that I tend to use the most for going online) have USB ports.

I agree that adding layers of complexity is important to thwart cybercriminals but if you make it more complex for the user then you end up with paralysis. So, as smartphones and tablets have become ubiquitous it is these devices that I strongly believe hold the key (as opposed to the key ring token!). Placing the token on to these devices adds convenience, as you always have it with you. Then, if you remove the need for the user to remember password and the requirement for the organisation to store it, in my book you have a winning solution.

To find out how this works in practice take a look at PINgrid: www.pingrid.com

Author: Alissa Lang, Winfrasoft

1 comment: