In-depth

Lost your password? Ask your children

Inside the enterprise: Apparently kids can hack most people's passwords. But strong authentication is still too costly for most businesses.

Password

Ask any IT helpdesk for their list of the most annoying and most frequent requests, and resetting users' passwords is very likely to be in the top five.

Users lose passwords. Or they forget to change them, they write them down on sticky notes, or store them in Excel files. Or else they just stick to simple ones they can remember, like Admin and Password.

A few years ago, Gartner, the IT research firm, looked at the cost of resetting passwords. A password reset call cost between 7 and 25 per incident, and they accounted for 30 per cent of helpdesk work. Other analysts have put the amount of time IT teams spend resetting passwords even higher.

So IT directors might be interested to learn that, apparently, cracking a password is child's play. Literally. SecurEnvoy, an IT security vendor, reckons that kids can use information stored on adults' social networking profiles to uncover enough personal information to hack passwords.

Advertisement
Advertisement - Article continues below

Security questions such as a user's mother's maiden name are especially easy to uncover, according to Andy Kemshall, SecurEnvoy's CTO. This, coupled with workplace information, such as email addresses, from sites such as LinkedIn, is more than enough to breach security. All a hacker needs to do is pose as a legitimate user, call up the helpdesk, and receive a new set of credentials.

Whether the "average kid" is going to go to such lengths is open to question. But another survey, this time from Experian, suggests that few of us take suffient precautions with either our personal information, or our passwords. The average Briton has 26 online accounts younger adults as many as 40 yet we use just five passwords to secure them. Experian didn't specifically ask whether people use the same passwords for work and personal accounts, but the odds are that many of us do.

Unfortunately, this is a problem that is still in search of a practical solution. Biometric security fingerprints, iris scans, or even voice prints has potential. But all biometrics are expensive to deploy: there is the cost of the equipment and softwarae, and the cost of verifying and enrolling users. And, with the exception of voice, all biometric IDs need new hardware. Then there is the problem that many of us find biometrics too intrusive for day to day use.

Strong, two-factor authentication, such as a token or smart card, is another option. But again, these are not cheap, and confidence in tokens has been undermined by the RSA hack. As with any system that relies on a single gateway, there is also a single point of failure. Move to single sign on with tokens, and if your token system is hacked or circumvented, your systems are wide open.

Until industry comes up with a better, cheaper alternative to passwords, the best measures CIOs can take are to educate staff to use strong passwords, and to change them often.

And if all else fails, the schools break up soon. So there will be plenty of sixth-formers around who will be happy to take a summer job in the IT security department.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/back-up/29084/how-to-enhance-your-backup-strategy
backup

How to enhance your backup strategy

10 Oct 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019