Furthermore, around a quarter of users are believed to have a password that's based around the 1,000 most popular, lists of which aren't tricky to gleam from the web. A brute force attack on a password, using modern computing power, could devour such a list in a matter of minutes. Adding some of the most popular suffixes to the recipe would still fail to trouble a brute force attack. And more worryingly, users continue to demonstrate a willingness to either share their password with others, or simply make it so easy to guess, that it's borderline redundant.
Stuck in their ways
To further compound the problem, once many users have decided on their password, then that's it. There's no hope of persuading them to change it, unless a network has a specific policy that enforces such a change (which is, arguably, of limited use).
Of greater concern, one single password then gets applied pretty much across the board. It finds itself standing between outsiders and the likes of online banking, PayPal, social networking sites and business accounts, and rarely under duress could it put up any kind of spirited defence. That said, this is also a by-product of the modern day society, where users are expecting to remember a cornucopia of PINs and passwords. It is any wonder that a good number of people tend to rely on old favourites?
So where does the password sit in the modern day world? Arguably in too powerful a position seems to be the answer. Companies are inevitably investigating ways they can beef this up, including employing password filtering software, which rejects any words that it feels are too weak, and instead encourages users to come up with something of more strength. Then, of course, we move into the world of biometrics and fingerprint scanners, when security is absolutely paramount, with an assortment of other solutions regularly arising too.
And yet the humble password should be able to do more than it currently delivers. As part of a rounded security system, the password still manages to keep most general and casual users at bay, and it does still take a small level of commitment to try and work out what a user's password is. There's an argument that runs that dedicated hackers will always find a way, and while that's little excuse for not making it as difficult as possible, as a general deterrent, a password really does have its place.
They key problem remains, of course, one of education. Until users fully appreciate the potential fallout of a compromised password or until, more specifically, something happens to them then the chances are that it'll still be seen as yet another word to remember, rather than the potent security tool that it could and should be.
One hint though, if you happen to be running for high office in the US: beef up your security a bit, eh?
