The weaknesses of passwords used for authentication and authorization are well known. In fact, many security experts feel that using a password as the only means of accomplishing these goals constitute “worst practices.”
As a result, some higher risk entities (banks, governments, etc.) are implementing various forms of two factor identification, such as tokens or smartcards.
But for the vast majority of systems that users interact with the password remains the only authentication method used. This situation is what makes phishing so lucrative. Get the user to divulge their password and you’re in business.
But the problem is even worse. It’s often not even necessary to obtain the password because they’re so easy to guess because they short and easy to remember such as children’s names, pets names or favorite sports teams.
This problem is compounded by the fact that people will often use the same password for most or all of their accounts. They do this because the average person interacts with a dozen or more sites which each requires a password.
This is especially problematic because hackers know this and if they can get a password from one site such as Gmail, it will work on many others, particularly banks or work.
So what can be done about the situation?
On the institutional side, implementing two-factor authentication, while not foolproof would certainly improve the situation. If so, why don’t we see more of this? The first reason is cost. While individual tokens may not be very expensive, thousands, or tens of thousands are as well as server hardware. The second reason is support costs requiring staff to assist confused users or replace tokens. The third reason is convenience. Companies are afraid that making it more difficult to do business will drive customers away, although customers of financial institutions are becoming more accepting of the need for improved security.
Another action institutions can take is to remove restrictions on passwords. If the user wants to use special characters, let them. On the other hand, enforcing complex password rules is self defeating because the will simply write the complex password on a sticky note kept by the computer.
On the user side, pass phrases offer promise because they can be easy to remember but hard to guess. For example, the user could make a password from the first letter of the
First eight words of their favorite song with the last four letters indicating the site. So, for example, my song could be the Star Spangled Banner. Thus, my key would be “Oscybtde” which is from “Oh Say Can You See By The Dawn’s Early.” Then for Amazon.com I would have “OscybtdeAMAZ”. For Paypal I would have “OscybtdePAYP”. Of course, for this to work, the sites would have to allow, but not demand, 12 character passwords.
It’s certainly not foolproof, but it’s a good start.