17 April 2015

Would your employees sell their company passwords?

We have too many passwords, it is tough to remember all of them, they are not as secure as we would hope (regardless of how ‘strong’ they are) and it costs IT helpdesks a small fortune to handle the constant stream of reset requests. These are all familiar pain-points of the password, but if a new survey is to be believed it would seem that organisations need to watch their back, as one in seven employees are willing to sell their passwords for as little as $150.

This was the finding of a global survey conducted by the identity management company SailPoint earlier this year. This says two things to me, the first is that organisations need to better educate their employees as to the ramifications of a security breech, as I am sure many people are naïve to what a determined criminal can accomplish with one single password. Secondly, if people could be tempted to disclose their password for such a relatively small sum of money, we as security professionals need to take a close look at how we can remove the temptation.

It is often said that the human factor is often the weakest link in the security chain. So clearly, the most obvious way to stop corporate passwords being sold is to remove the need for people to have them in the first place. After all if you don’t have it you can’t sell it! You may say “Easier said than done” but in truth it is simple.

The ubiquity of passwords has for too long made IT departments and security professionals wary of replacing them. This is coupled with the fact that the available alternatives, such as biometrics, have been accompanied by hefty price tags, challenging roll outs and resource intense management. However, new solutions such as PINgrid are taking the elements of password-based security that work well and replacing those that don’t.

So, if you are an employee you still login using a passcode, but it is a one-time-code generated from a pattern that you have memorised within a simple grid (either displayed on-screen, or via an app on a mobile device). Of course an employee could sell their pattern but it would be worthless as the digits within it are never repeated in the same sequence. Therefore, they would also have to sell their device along with it and I don’t know anyone who would be willing to be parted from their phones (whether their own device or a corporate owned one) for a few minutes let alone sell it (apps intact) to a total stranger! 

Author: Alissa Lang, Winfrasoft