Comment: Password Reuse Equals Misuse

Russell says username/passwords are little more than an inconvenience to hackers
Russell says username/passwords are little more than an inconvenience to hackers

If an organization protects sensitive data with a simple user name and password combination, it might just as well not bother. User names and passwords have been proven, time and time again, to be little more than an inconvenience to hackers with even the most basic IT skills if they truly want to break into a network.

As well as being inherently flawed as a serious authentication methodology, due to the limitations of the human brain and the number of systems that people need to access, the vast majority of people use the same password for accessing their corporate applications as they do for their personal bank accounts and other online activities.

An analysis by one security researcher in the wake of the Sony and Gawker hacks showed that two-thirds of users with accounts at each website used the same password on both. A quick vote survey, conducted by Swivel Secure in August, showed that even in the immediate aftermath of such high-profile security compromises, this statistic has only marginally improved. The Swivel poll, which asked respondents about their password usage for different online applications, revealed that 55% still use only one – or a variation of one – password across all their online activities. Worryingly, the majority of those polled were information security professionals.

As we all know, it only takes one incident to steal the passwords of millions of individuals, along with their personal information. This can provide hackers with the keys to everything else – including business-critical corporate information.

While the lessons learned by Sony, Sega and Gawker are still fresh in the memories of management teams globally, and while boardrooms are on high alert for a data security breach, it is perhaps perfect timing for information security professionals to push through the need for policies that eradicate the practice of password reuse within the corporate environment.

A basic internal education program is a good start; from my own experience, I know that many non-IT employees across various commercial departments associate hacking with sophisticated and complex software. As hard as it is to believe, many are still unaware that they can be caught out by a hacker posing as ‘the IT department doing maintenance’. Every person within an organization needs to understand their individual responsibility for security and must be on their guard for the latest social engineering scam.

The ultimate solution, particularly for companies still reliant on user names and passwords, is a complete rethink of the internal authentication strategy. With the attention of senior executives still tuned into recent major data thefts and the potentially heavy financial penalties and reputational damage that come with them, now could be a good time to advocate a company-wide multi-factor authentication platform.

Traditional financial and operational obstacles to multi-factor solutions no longer exist: the cost and administration involved in deploying tokens to thousands of individuals has been overcome with the introduction of successful and much more cost-effective tokenless authentication platforms. With multi-factor authentication in place across an organization’s whole user base, one person unwittingly revealing their user name and password credentials will no longer be able to compromise the whole corporate network, and management teams and information security professionals will be able to sleep a lot easier at night.

Chris Russell is VP of technology at Swivel Secure, a provider of tokenless two-factor authentication technology. Russell joined Swivel Secure in 2005 with over 20 years of blue chip experience in product and software development. In his current role, he is responsible for technology within the company, including internal requirements, product development and technical pre- and post-sales.

Prior to his role at Swivel Secure, Russell worked at O2 where he had overall technical responsibility for a portfolio of m-commerce websites and the platforms that delivered them. He provided a range of product improvements that led to significant revenue increases. Before joining O2, Chris worked for British Telecom at its renowned research and development lab in Martlesham Heath.

Russell holds a physics degree from the University of Hull and an MBA from Henley Management College.

What’s hot on Infosecurity Magazine?