The Problem with Passwords
Considering that the average person has over two dozen online accounts, remembering passwords – with a different “strong” password for each site and application – can be challenging. Forgetting passwords and relying on password retrieval takes time, and in business, time is money. Even more pricey for a company is the cost of a password breach!
Using simple passwords, writing the passwords down, or re-using passwords, are all methods people use to remember passwords. Unfortunately, all of these methods are not secure and leave your company vulnerable to a breach. Simple passwords are easily cracked by hackers. Written passwords can be viewed by anyone nearby. Re-using passwords on different sites allows a hacked password from one site to be used to gain access to other accounts used by the hacked individual. Once hackers gain access to your account with stolen login credentials, they can use password-reset links to take over.
Many small companies, which may not have large IT budgets, tend to use weak online security, such as using default admin passwords or not segregating access to systems based on user need. This makes them a target for hackers who see them as an easy entry point to the larger companies with which they do business. In fact, Target’s breach in November 2013 was caused when hackers stole the network username and password from Fazio Mechanical Services (their heating, ventilation and air conditioning company) and used it to access Target’s entire network.
What if your employees didn’t have to remember passwords? Would your company be more secure?
Many users meet the challenge of remembering passwords by using a password manager such as RoboForm, LastPass, Dashlane, 1Password, and KeePass. LogMeOnce is a password manager that even has a new feature that lets you snap a photo of the person who’s trying to hack you! Password managers store your passwords in an encrypted state. You need to remember one master password to login, and the password manager generates secure, random passwords that it remembers for you. Most allow you to access your passwords across different computers, smartphones and tablets. Password managers also fill out account information based on the web address, which can help prevent users from falling for phishing attacks since the information will not autofill on the wrong website.
(Web browsers, including Chrome and Internet Explorer, have integrated password managers, but they don’t generate passwords for you and they store the passwords in an unencrypted form which can be viewed by anyone who uses your computer. We therefore do not recommend allowing your browser to remember your passwords.)
Earlier this year LastPass was hacked. However, this hack proved that password managers can effectively protect your passwords since no passwords were compromised in the hack. It also served as a reminder that the master password needs to be really strong.
Facial recognition technology is being used to eliminate the need for passwords!
Intel introduced a new application called True Key that uses biometric factors like facial recognition and fingerprints on supported devices to allow you to login to your device, apps, and websites without entering a password. If you log in from your PC or Mac, True Key sends notification to your iOS or Android device, and you swipe the screen of your device to verify that it’s you. It works by creating a mathematical representation of the key facial features which is stored locally and encrypted on your device. The mathematical template of your face is matched on the server. It works with PasswordBox to secure your passwords for the websites and apps you use.
Microsoft newest operating system also uses facial recognition to replace passwords using Windows Hello to sign in to your Windows 10 devices. It requires a RealSense 3D Camera from Intel which combines the images from three different cameras into a single image that can judge depth, heat and photos. When you sit down at your PC, Windows Hello recognizes you and automatically logs you in. It can tell the difference between you and a photo of you, and it can recognize you through facial hair, makeup, and eyeglasses. It was even tested on identical twins, and didn’t allow the wrong twin to access the computer!
Several start-ups are also working on high-tech alternatives to passwords. Clef is a free app that generates a unique image of your iOS or Android smartphone that you point at your webcam to login to a website. Clef has plugins for WordPress, Drupal, Joomla, Magento, Plesk, and WHMCS sites. Waltz is an “account manager” that can be added to Chrome to allow you to use Clef to log in to additional sites including Google, Facebook, and Twitter. Bionym is developing a wristband, called Nymi, which uses a wearer’s heartbeat, instead of passwords, to unlock devices and online accounts.
Still Using Passwords?
Big Idea Technology’s clients continue to use passwords to access their sites, and we continue to support our clients through applications that require passwords. As long as this continues, we will continue to advocate the use of strong passwords – those that require at least 8 characters and use upper and lower case letters, numbers and characters. For the security of your systems, we remind users to use a different strong password for each site you access, and whenever possible, to use two-factor authentication.
If you would like to discuss how secure your network is given the practices that you use at your company, give us a call.