Why are passwords insecure?
February 29th, 2016
Too many organisations are still just relying on passwords to allow remote workers, partners and clients to access their business systems.
This generally presents an unacceptable level of risk to a business, passwords on their own are not secure.
How can passwords be breached?
- Given to or stolen by another employee
- Eliminating traceability of actions on the IT systems.
- Cracked by an external or internal entity
- Via specialist hacking/cracking software and experience.
- Recorded by spyware software
- Installed via a virus or other malicious software.
- Directing the user to a copy of your login systems to facilitate theft.
- Given out to a 3rd party unintentionally
- Staff can often be tricked by sophisticated social engineering.
- Stolen in transit
- Unsecured networks can often facilitate password theft.
As you can clearly see the number of risks to a user’s password are significant. They are old and proven methods to in effect steal passwords and use them for malicious intent, such as to enter systems and steal information, hold firms to ransom and the like. Passwords have been insecure for some time, yet many businesses don’t close the hole unless they have a significant security breach. The fact that underground communities swap and trade access details makes this even worse. There’s money in knowing passwords, thus you can buy them online!
How can you increase your security levels?
It’s actually fairly simple to up your levels of security and protect against these risks. You can make your remote system access robust by simply implementing multi-factor authentication as a minimum level of security. It doesn’t make your system hack-proof of course, but it does dramatically increase the security level of systems.
What is two-factor authentication?
Two-factor authentication simply means you use two elements to access your systems, something you know (your password) and something else, i.e. a token device. You may have one for access to your bank, they’ve been in use for years. You can also have the same technology installed as an app on your smartphone.
The fact that you must have at least 2 elements to log in naturally increases your level of security. Every time you log in you must for example first enter your password and then you must enter a unique number which changes say every 5 seconds. Now it doesn’t matter if someone knows your password as they don’t also have the token with the ever-changing number. On the flip side, if you lose your token on the train and someone picks it up, they won’t be able to access your account as they probably don’t know where you work and most importantly they won’t know your password.
It all sounds very simple. That’s because it is. All firms who have people accessing their systems from outside the corporate firewall should be using multi-factor authentication. Actually, it also makes sense for those within the firewall to use it. It’s inexpensive, straight-forward and now a necessity. Passwords on their own are not secure and the threat landscape is changing all the time Organised crime gangs and lone-wolf hackers are on the hunt to extort and steal money from firms – many are sitting ducks.
In the press: IT is a tier one investment for law firms
The start of the new financial year means that every department is battling for a “piece of the pie” as budget allocation gets underway. Staff bonuses, business development and branding are often top priorities for available budget. This leaves the IT department with little investment to cope with the security threats aimed at the legal […]
QuoStar named as one of the UK’s most ambitious businesses
IT support and consultancy firm QuoStar have received an award for ambition. The firm, whose operational headquarters are in Bournemouth, has been named as one of the UK’s most ambitious companies in the southern region. This award is unique because no company could put themselves forward or receive a nomination. Instead, more than 5000 companies […]
Cyber-Security White Paper: Going Beyond Technology
This paper is a write up based upon a webinar hosted by David Clarke – QuoStar Head of Security & CISO, and Chris White – QuoStar Head of Consultancy & the CIO Service in July 2021. Please fill out this form to receive your copy of the Cyber-Security White Paper: Going Beyond Technology This write-up […]