Blog
Why are passwords insecure?
February 29th, 2016
Too many organisations are still just relying on passwords to allow remote workers, partners and clients to access their business systems.
This generally presents an unacceptable level of risk to a business, passwords on their own are not secure.
How can passwords be breached?
- Given to or stolen by another employee
- Eliminating traceability of actions on the IT systems.
- Cracked by an external or internal entity
- Via specialist hacking/cracking software and experience.
- Recorded by spyware software
- Installed via a virus or other malicious software.
- Phished
- Directing the user to a copy of your login systems to facilitate theft.
- Given out to a 3rd party unintentionally
- Staff can often be tricked by sophisticated social engineering.
- Stolen in transit
- Unsecured networks can often facilitate password theft.
As you can clearly see the number of risks to a user’s password are significant. They are old and proven methods to in effect steal passwords and use them for malicious intent, such as to enter systems and steal information, hold firms to ransom and the like. Passwords have been insecure for some time, yet many businesses don’t close the hole unless they have a significant security breach. The fact that underground communities swap and trade access details makes this even worse. There’s money in knowing passwords, thus you can buy them online!
How can you increase your security levels?
It’s actually fairly simple to up your levels of security and protect against these risks. You can make your remote system access robust by simply implementing multi-factor authentication as a minimum level of security. It doesn’t make your system hack-proof of course, but it does dramatically increase the security level of systems.
What is two-factor authentication?
Two-factor authentication simply means you use two elements to access your systems, something you know (your password) and something else, i.e. a token device. You may have one for access to your bank, they’ve been in use for years. You can also have the same technology installed as an app on your smartphone.
The fact that you must have at least 2 elements to log in naturally increases your level of security. Every time you log in you must for example first enter your password and then you must enter a unique number which changes say every 5 seconds. Now it doesn’t matter if someone knows your password as they don’t also have the token with the ever-changing number. On the flip side, if you lose your token on the train and someone picks it up, they won’t be able to access your account as they probably don’t know where you work and most importantly they won’t know your password.
It all sounds very simple. That’s because it is. All firms who have people accessing their systems from outside the corporate firewall should be using multi-factor authentication. Actually, it also makes sense for those within the firewall to use it. It’s inexpensive, straight-forward and now a necessity. Passwords on their own are not secure and the threat landscape is changing all the time Organised crime gangs and lone-wolf hackers are on the hunt to extort and steal money from firms – many are sitting ducks.
NEXT>> 9 red flags which should make you doubt an email
In the press: Financial services firms can benefit from cloud
Financial services firms operating in the UK can now utilise cloud-based IT solutions without fear of breaking their regulatory obligations, as the Financial Conduct Authority (FCA) has issued guidance for firms outsourcing to the “cloud” and other third-party IT services stating there is “no fundamental reason” why they cannot implement cloud services. While the FCA […]
Being a CISO in 2021 – our Head of Security David Clarke
Our Head of Security, and CISO Service lead, David is recognised as one of the Top 10 influencers by Thompson Reuters, and a Top 50 global expert by Kingston Technology. He is also one of the Top 30 most influential thought-leaders and thinkers on social media in risk management, compliance, and regtech in the UK. […]
GDPR Compliance: It’s an issue of transparency
The General Data Protection Regulation (GDPR) has been on the lips of security professionals for a long time now – but in just over a month, it will become a reality. While it’s easy to focus on potential fines or security procedures, many still overlook the heart of the regulation: transparency. Getting the bigger picture […]