In a long and interesting Wired post (Kill the Password: Why a String of Characters Can’t Protect Us Anymore) at the backend of last year, Matt Honan wrote about how easy it is for a hacker to crack pretty well any given password. One part of his argument is that, given enough time and using modern password hacking tools, even strong passwords can be cracked relatively easily.
Also in Wired, Nate Anderson wrote yesterday (How I became a password cracker) about how easy it was for him – a non-hacker – to acquire the skills and tools to become an effective password cracker. If you think that people worrying about passwords is all a lot of hot air, and that, anyway, ‘it couldn’t happen to you – or to anyone in your company’, then these two articles are essential reading.
There are two possible takeaways from these articles. The first is that it’s time to go beyond passwords, to two-factor authentication and the more widespread use of software like Trusteer Rapport. While this is a logical direction of travel for organisations with deeper pockets (and we’re seeing more and more of these sorts of solutions from online banking institutions), it’s not so easy in the short term for individuals or most other organisations.
For individuals, the only short term solution is a combination of a strong password – 8 alphanumeric characters(combining numbers, letters, upper and lower case, special characters) changed at least every 90 days – and sustained, suspicious vigilance – particularly of anyone or anything asking for sensitive information (birthday, mother’s maiden name) under any circumstances.
For other organisations, staff training and awareness – ideally delivered within a structured ISO27001 Information Security Management System that enforces proper password selection and management – is the essential, immediate step. The best and most effective way to deliver staff training and awareness is online – using an easily customisable, pre-created e-learning solution. Organisations that postpone the decision to take a structured, formal approach to information security are very like dinosaurs who thought that meteor-triggered climate change wouldn’t affect them. After all, the most commonly used passwords today are still 123456 and passw0rd.