One security topic that I’ve heard and written a fair bit about recently is that of the password. Its been the primary means of access control for as long as I can remember and its served its purpose reasonably well for much of that time.
But it isn’t a perfect solution for protecting computers and the information stored on them.
Thats why there has been a lot of chatter recently about biometrics such as fingerprint scanners (iPhone 5s), body smell detectors (future passports?), vein scanners (ATMs in Japan, Poland and others) and all manner of other means of confirming a user’s identity.
Whilst each of these methods has its own pros and cons, nothing has usurped the humble password in terms of mass use and I suspect that is how it will remain for some time yet.
So what do you need to do to ensure password security within your organisation?
The first thing you will want to ensure is that no-one within your company is using a weak password. Sadly, far too many people use short passwords that are nothing more than dictionary words (easy to crack), and they also re-use those same passwords for all of their accounts. If the people within your business are using easy to guess passwords then they may as well not have a password at all!
So, some security awareness could be key. If you appeal to your team’s human nature and explain the advantages of having strong and varied passwords in their private lives then there is a chance at least that they will be more predisposed to creating a strong password when they are in the workplace.
Then you can teach them how to create the desired strong password using these tips.
After that its job done, right?
I suspect you already know the answer to that question which is, of course, “no.”
One of the biggest issues in securing computers and information is that human element. Its unfortunate but as a species we are far from perfect. Some of us can be lazy, some are not so bright, we can all have a bad day, many aren’t as security conscious as we would like and all of us are social animals to varying degrees. Not only that, but all of us are individuals and we cannot be expected to behave in identical ways.
That said, some generalisations can be made. Digital sociologist Dr. Jessica Barker has recently conducted research in this area and presented her findings both on her blog and at the IRISSCERT Annual Conference 2013:
As you can gather from the video, a large number of people are indeed using the same password for multiple accounts:
“In total, 62% of the sample did not use unique passwords and 43% of respondents admitted to reusing passwords for their online accounts.”
Furthermore, she discovered that 57% of respondents to her survey said that they have shared their passwords with someone else. Whilst this primarily applies to personal accounts, 15% of those questioned admitted that they shared login credentials within the workplace:
“Although organisations would undoubtedly be pleased to think that only 15% of people share their passwords for work reasons, it is worth considering that 15% is still a fairly substantial number when considering the damage that sharing access to professional accounts can cause.”
Interestingly, Barker also found that there are some significant differences between the sexes when it comes to password security. Her research indicates that only twenty-eight percent of men use unique passwords across accounts, whilst forty-seven percent of women would use a different login for all accounts. Whilst women appear to be more conscious of security in that respect, they were found to be more likely to share those passwords than men (69% vs 47%).
Even though Dr. Barker’s sample size was quite small it does give an insight into people’s attitudes towards security. Despite the apparent differences between the sexes (and differences between age groups too) the overall picture painted is one in which password security looks pretty drab amongst users.
What this says is that the human element is still key in ensuring that passwords are both strong and kept confidential within your organisation. So, whilst you need to protect your networks and information, it is still worth asking yourself what you are doing to secure the humans in your business.