The increasing number and complexity of passwords in the enterprise is pushing employees to use the same easy-to-remember password for multiple systems. And the increased availability of information about people on social networking sites is making it easier for criminals to guess these passwords, Chatterjee told Infosecurity.
“When people have lots of things to remember, they regress down to something simple”, he said.
The number and complexity of passwords are placing burdens on enterprise help desks, as 30% to 50% of help desk calls relate to forgotten passwords, according to a survey of 306 IT professionals commissioned by Symantec’s VeriSign and carried out by Forrester Research. The study estimates that each help desk call costs between $10 to $15.
“The fact that passwords remain the cornerstone of enterprise authentication represents a significant and increasing risk. The vulnerability of password-based authentication is widely recognized: From the earliest phishing attacks to the most sophisticated spyware, passwords still represent one of the most common methods hackers target and use to access corporate systems and sensitive data”, the study observed.
The way to reduce the costs of lost passwords and the increased vulnerability of similar user passwords is through the use of strong multi-factor authentication, explained Chatterjee. For example, two-factor authentication involves the use of something the user remembers, such as a password, and something the user has, like a token.
This approach increases security because a hacker needs both to gain access to a system or account; figuring out the password is not enough. It also reduces the need for users to have multiple, complex passwords. The system's two factors provide the complexity from a security point of view, he explained. Chatterjee used the example of a bank ATM card, which requires the use of the card along with the password for the user to gain access to his or her account.
However, having multiple tokens that can be lost or stolen also poses a security risk. So Symantec has developed a smartphone application that generates a one-time PIN that can be used for strong authentication. The PIN is the second factor that is used with a password.
“You have the password that you have in your head and you have the PIN that you generated one time”, he explained. “You have ‘something you have’ and ‘something you know’. The something you have is the mobile phone running the piece of software [to generate the PIN] and the something you know is the password in your head.”
With the two-factor authentication, users do not need to have complex passwords that change frequently. This reduces the burden on the employees as well as on the help desk, he noted.
“It is down to the individual. The weakest link is us. User name and password are a personification of that weak link”, he concluded.