The jury is out on whether Edward Snowden deserves amnesty or jail time, but what isn’t up for debate is the fact the agency’s reliance on passwords meant that Snowden, a contract administrator, was able to dupe employees out of crucial information -- information that allowed him to access tens of thousands of confidential documents simply by asking for it. Between 20 and 25 NSA employees willingly gave up their usernames and passwords after Snowden told them he needed the information to do his job, according to Reuters. While this story highlights a major security breach at a national organization, it also shows how passwords protection at any company can be dangerous
Here are five reasons why it’s time to let go of the password as your first line of defense against data infiltration.
1. Password resets are the most common help desk request – and they are costly. Your IT department may look busy solving complex technical dilemmas but anywhere from 20 to 50 percent of all IT calls are for password resets, according to Gartner research. Research group Info-Tech estimates that enterprises spend $70 per call and $118 per user every year on password-related support and lost productivity. While these numbers will vary across organizations, the more complex your password policies are, the more calls to IT your support team is likely fielding. For employees, a forgotten password means frustration and wasted time. For technicians, password resets are time-consuming and dull.
2. It is not that hard for the super hacker to break into your company's files. The reason? Eighty percent of security breaches are caused by weak passwords, according to Trustwave’s 2013 Global Security Report. And yet, the most common password used by global businesses is still “password1.” Complicating the issue is the fact that workers don’t eschew network security out of apathy or ignorance. Rather, as this Microsoft Research Report shows, they do so because, when it comes to effort, choosing basic passwords makes the most economic sense.
But weak and recycled passwords are a boon for would-be hackers and identity thieves. Once hackers de-encrypt a user’s password, it’s easy for them to try logging into other sites and applications. If an employee registers for a hacked service with the same email address and password he or she uses at work, the negative repercussions for your business can be enormous.
3. A majority of IT security techs don’t understand cloud security. An astounding 89 percent of the global information security workforce lacks a comprehensive understanding of cloud security. Though using the same password across all of one’s accounts poses a serious security risk, a 2013 survey showed that 83 percent of the tech security officers surveyed did just that.
The complexity of cloud-based file sharing services makes worthwhile safety measures difficult to develop and enforce. Meanwhile, scattered global workforces comprised of full-time employees, independent contractors and outsourced support mean the potential for data infiltration increases every day. A Microsoft Research Report shows that employees will log in to various accounts, on average, eight times a day, often with the same or similar passwords.
4. Forcing employees to constantly change passwords doesn’t make data safer. Studies by McAfee and Norton show that more than 40 percent of users simply write passwords down or store them in a simple, easily accessible text file -- leaving accounts highly vulnerable. Even requiring employees to change their passwords every 90 days doesn’t do much to reduce your security risk. As this UNC-Chapel Hill study demonstrates, a significant percentage of updated passwords can be broken from an old password in less than three seconds. Often, all a hacker needs to discover a newly updated password is a means of guessing the original key, something that’s becoming easier and easier to do thanks to free open source software readily available on the web.
5. The federal government already made its mistakes -- so you don’t have to. No matter what side of the debate you fall on when it comes to whistleblowers, chances are you’re not keen to find one inside your own ranks. Angry employees with access to sensitive information can cost companies money, time and their hard-earned reputations.
So how should you make your data secure? A shift away from password security does not have to be difficult and stands to benefit employees and employers alike. Two-factor authentication systems like Google’s U2F replace all passwords with a single four-digit pin number and hardware that fits into a computer’s USB port. Other options, like single-sign-on, do away with the need to remember new passwords for every account. An increasing number of web-based applications are allowing companies to use a token-based authentication standard called SAML, effectively removing the need for a username and password.
There are also interim steps that you can take to add security to applications that still require traditional usernames and passwords. These include setting strong policies for passwords (such as requiring long passwords with diverse character sets), using unique passwords for each account, never sharing passwords and using tools that help support these best practices. Turning on two-factor authentication in all applications that support it helps secure access to applications and the underlying data.
In the long run passwords will eventually go away. There is a difference between your identity (who you are) and your access (what you can use). We are already seeing increased competition to be the primary identity provider in both personal and corporate settings as companies start to realize this shift. Once the identity is verified in this way then secure, federated access to applications with or without passwords becomes possible. Companies and individuals will start to have choices regarding how they want to verify their identity.
With contribution by Sarah LaBrie of Hippo Reads