As an IT security professional, it comes to me as no surprise that when the phrase "password" is typed into Google, the second-most-common predictive search result that comes up is "Password Cracker”.
Whether these are being used for legitimate or more underhand purposes, there is no doubting the prevalence of these tools and their seeming ease of use is worrying.
There is also no lack of resources when it comes to lessons on how to use these tools. You only need to search sites such as YouTube or eHow.
Password cracking is just one method of obtaining a password, but the unauthorised obtaining of passwords is by far most common cause of a successful hack.
So what is the problem with passwords, and why should I care if somebody has my password? I don't have anything worth looking at. Well, this is not necessarily the problem; once somebody has your password they are effectively you, which, from my perspective, can cause several problems.
They will now have your access rights to any data on your systems. If you work in HR, they could effectively view payroll information for all employees. I have seen salary information leaks before and they are not pleasant.
Whilst this is pretty serious, there is also the risk that anybody with your password could effectively disguise themselves as you whilst carrying out further hacks on sensitive systems, traffic in child pornography or become part of a huge BOT net, sending out thousands of SPAM emails.
Passwords tend to be:
- Easy to guess
- Hard to remember and therefore written down
- Easy to steal
- Difficult to audit
So what can we do about these problems with passwords? Well, ideally we would like to use a reasonably complex, One Time Password (OTP). This is a password that is only valid for one session then discarded and cannot be used again. This means that if a potential intruder did actually manage to record the password, it will be of absolutely no use to them as it is no longer valid.
There are 2 main problems with this:
- Complex OTP passwords are difficult for people to remember.
- Password management overhead. This would be akin to changing a user's password every time they log in.
To resolve these issues we need to implement some technology to help. This is where a 2-factor authentication system comes into play. 2-factor authentication systems generate unique OTP's for every login session, using something the user has and something that they know. This can be compared to having a Bank Cash Card and a PIN number, but in our case the 'something' the user has is generally a token of some sort such as a mobile device or keyfob to complete the OTP.
As users demand more and more flexible working , it is IT's responsibility to keep things secure.
I am a big fan of keeping things simple and relieving the burden of the IT department allowing them to get on with the value creation (and let's be honest more fun) work, not increasing workload. In my experience, over the last few years, 2-factor authentication systems have become much cheaper and much easier do deploy so many of the excuses for not deploying this technology have gone away.
If you would like to contribute any experiences or alternatives please add a comment below.
