Last week a story went viral (at least in the security world) titled “123456 is the most common password in a massive Twitter heist”. Despite many similar incidents, it remains surprising that users will still choose passwords as common and vulnerable as ‘123456’ or ‘password’. The questions surrounding the behavior remain in that users are unaware or undeterred by the risk, and/or willing to sacrifice security for convenience. In this situation, it’s almost like wearing your password on your sleeve for the virtual world to see.
As IT Security professionals we think about security when choosing passwords, however, what do you suggest the typical user considers as primary when choosing a password?
Vinayak Raghuvamshi said it best in his piece on authentication last year when he stated, “Authentication is the weak link in any enterprise security solution, primarily because it relies heavily on how people use it”. This is true as any vulnerabilities in authentication can lead to serious security issues.
Despite the widely known risks associated with weak authentication, people are predictably oriented towards convenience rather than security. The evidence is clear in this incidence of password compromise, and many others, that despite policies encouraging password complexity a large percentage of users do not follow best practices in choosing strong passwords.
The solution to this issue is not only further education regarding the risks of compromise, but also providing end-users with convenience in the choices of their preferred authentication methods. This is where multi-factor authentication (MFA) comes into play and sets the stage for helping users to securely gain access to their resources in a manner that provides not only the security they need, but also the convenience they want.
In this instance, it was celebrities, and even the NFL, that were hacked and questionable tweets were sent from their accounts. Seemingly harmless in the grand scheme of things. However, this could have been much worse. What if the passwords protected access to medical or financial records? What if they were the link to government secrets? This is why your organization needs multi-factor authentication. With MFA, your password is augmented through the choice of a second factor such as a text message credential or mobile phone authentication. These two steps are examples of adding additional security without taking away the convenience of a quick log-in.
To learn more about MFA, read my earlier blogs or Contact Us.