In-depth

Lost your password? Ask your children

Inside the enterprise: Apparently kids can hack most people's passwords. But strong authentication is still too costly for most businesses.

Password

Ask any IT helpdesk for their list of the most annoying and most frequent requests, and resetting users' passwords is very likely to be in the top five.

Users lose passwords. Or they forget to change them, they write them down on sticky notes, or store them in Excel files. Or else they just stick to simple ones they can remember, like Admin and Password.

A few years ago, Gartner, the IT research firm, looked at the cost of resetting passwords. A password reset call cost between 7 and 25 per incident, and they accounted for 30 per cent of helpdesk work. Other analysts have put the amount of time IT teams spend resetting passwords even higher.

So IT directors might be interested to learn that, apparently, cracking a password is child's play. Literally. SecurEnvoy, an IT security vendor, reckons that kids can use information stored on adults' social networking profiles to uncover enough personal information to hack passwords.

Security questions such as a user's mother's maiden name are especially easy to uncover, according to Andy Kemshall, SecurEnvoy's CTO. This, coupled with workplace information, such as email addresses, from sites such as LinkedIn, is more than enough to breach security. All a hacker needs to do is pose as a legitimate user, call up the helpdesk, and receive a new set of credentials.

Whether the "average kid" is going to go to such lengths is open to question. But another survey, this time from Experian, suggests that few of us take suffient precautions with either our personal information, or our passwords. The average Briton has 26 online accounts younger adults as many as 40 yet we use just five passwords to secure them. Experian didn't specifically ask whether people use the same passwords for work and personal accounts, but the odds are that many of us do.

Unfortunately, this is a problem that is still in search of a practical solution. Biometric security fingerprints, iris scans, or even voice prints has potential. But all biometrics are expensive to deploy: there is the cost of the equipment and softwarae, and the cost of verifying and enrolling users. And, with the exception of voice, all biometric IDs need new hardware. Then there is the problem that many of us find biometrics too intrusive for day to day use.

Strong, two-factor authentication, such as a token or smart card, is another option. But again, these are not cheap, and confidence in tokens has been undermined by the RSA hack. As with any system that relies on a single gateway, there is also a single point of failure. Move to single sign on with tokens, and if your token system is hacked or circumvented, your systems are wide open.

Until industry comes up with a better, cheaper alternative to passwords, the best measures CIOs can take are to educate staff to use strong passwords, and to change them often.

And if all else fails, the schools break up soon. So there will be plenty of sixth-formers around who will be happy to take a summer job in the IT security department.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
What is shoulder surfing?
Security

What is shoulder surfing?

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
Microsoft releases two emergency Windows patches
Security

Microsoft releases two emergency Windows patches

19 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020