Stop Using Passwords…Until You Understand the Risks
We all use passwords to access and protect sensitive online data—whether it's logging onto the network at work, shopping for goods on the web, or accessing personal email. Passwords are a basic function of the way we work, live, and socialize; yet as anyone who has had an account hacked can tell you, password protection is far from perfect.
With personal data playing an ever-larger role in the way we do business, current password functionality is in need of an overhaul. If you're looking for a better way to secure your personal and professional data, here's what you need to know.
The problem with hashing
In theory, passwords should work: if someone doesn't know your password, they shouldn't be able to log into a site or an account as you. Unfortunately, outdated storage methods and a lack of universal best practices have made it increasingly easy for hackers to get their hands on your passwords—and your data.
Each time you register a password with a website or service, that organization needs to store your password somewhere in order to authenticate your identity later. Some organizations store your password as plain text, which leaves you and your data extremely vulnerable if the sites' password lists are accessed by unauthorized users or hackers. Security-minded sites take pains to create a protected version of your password known as a “hash,” dicing up your password into small pieces and rearranging the pieces so that they no longer resemble the original. In this case, when you re-enter your password, it goes through a hashing function where the result is compared to the stored hash for verification.
The thought behind password hashing is that if hackers manage to breach a website or online service, they won't be able to steal users' intact passwords. Instead, the hackers will be left with difficult-to-crack hashes that are either unusable or take a very long time to reverse engineer into passwords. However, with the rise of powerful, off-the-shelf components such as modern graphics cards and lists of pre-generated hashes for short passwords, hackers can easily reverse engineer passwords.
A modern high-end graphics card, for example, can easily perform more than 600 million SHA256 hash operations per second. A few of these relatively inexpensive cards arranged in an array can try every possible eight character password in about seven days. While that's impressive enough already, attackers have far more advanced ways to crack hashes, and with the right tools they can crack hundreds of passwords per hour.
“Online sites are aware of these issues,” explains Jim Waldron, Senior Architect for Platform Security at HP, “and so some of them have increased the security by adding secret questions and answers like: ‘What is your mother's maiden name?' Unfortunately, much of this ‘private' information can be legally purchased from online data aggregators.” In other words, even users' private personal information is no barrier to a determined hacker.
The problem with best practices
To make the situation worse, once a hacker obtains a user's password, they can use this information to try and access the rest of the user's online accounts—such as their email or bank accounts. The reason for this is that most consumers—and businesses—skirt password best practices.
A secure password should adhere to three basic rules:
- It should be long—at least 16 characters[1]
- It should be complex—containing uppercase letters, lowercase letters, numbers, symbols, and spaces
- It should be unique—i.e. you only use it once
You're probably familiar with at least a few of these rules. Many password systems require users to create passwords of a certain length and complexity, but the resulting passwords are hard to remember and many users recycle the same password multiple times. In fact, 54% of consumers use five or fewer passwords across their entire online life, while 22% use three or fewer.[2]
So what's next for passwords?
With all these issues, combined with an increasing number of high-profile online data breaches, the public is losing faith in passwords. Nearly 70% of consumers report lacking a high degree of confidence that their passwords can adequately protect their online accounts—and they're calling on online organizations to add another layer of security to the process.2
“At a very high level,” says Waldron, “what we need are new, more secure methods for users to identify themselves to online services—methods that are also easy for users to perform.” While broad changes will take time and a large joint effort, there are some immediate actions businesses can take to improve their own authentication methods.
Passwords are still an important security feature, despite their many problems. Check the strength of your passwords—make sure they are long, complicated, and never repeat. If you own an HP business PC, you already have access to HP Password Manager (part of the broader HP Client Security Suite) which can store your unique passwords for you. This is an efficient way to eliminate the headaches normally associated with remembering complicated passwords across multiple sites. You can also try to institute several layers of authentication at once—such as a fingerprint reader plus a password, or an iris scanner plus a smartcard reader. This is known as multi-factor authentication and is much more secure than any one method alone.
[2] Telesign, Telesign Consumer Account Security Report
