In-depth

Lost your password? Ask your children

Inside the enterprise: Apparently kids can hack most people's passwords. But strong authentication is still too costly for most businesses.

Password

Ask any IT helpdesk for their list of the most annoying and most frequent requests, and resetting users' passwords is very likely to be in the top five.

Users lose passwords. Or they forget to change them, they write them down on sticky notes, or store them in Excel files. Or else they just stick to simple ones they can remember, like Admin and Password.

A few years ago, Gartner, the IT research firm, looked at the cost of resetting passwords. A password reset call cost between 7 and 25 per incident, and they accounted for 30 per cent of helpdesk work. Other analysts have put the amount of time IT teams spend resetting passwords even higher.

So IT directors might be interested to learn that, apparently, cracking a password is child's play. Literally. SecurEnvoy, an IT security vendor, reckons that kids can use information stored on adults' social networking profiles to uncover enough personal information to hack passwords.

Security questions such as a user's mother's maiden name are especially easy to uncover, according to Andy Kemshall, SecurEnvoy's CTO. This, coupled with workplace information, such as email addresses, from sites such as LinkedIn, is more than enough to breach security. All a hacker needs to do is pose as a legitimate user, call up the helpdesk, and receive a new set of credentials.

Whether the "average kid" is going to go to such lengths is open to question. But another survey, this time from Experian, suggests that few of us take suffient precautions with either our personal information, or our passwords. The average Briton has 26 online accounts younger adults as many as 40 yet we use just five passwords to secure them. Experian didn't specifically ask whether people use the same passwords for work and personal accounts, but the odds are that many of us do.

Unfortunately, this is a problem that is still in search of a practical solution. Biometric security fingerprints, iris scans, or even voice prints has potential. But all biometrics are expensive to deploy: there is the cost of the equipment and softwarae, and the cost of verifying and enrolling users. And, with the exception of voice, all biometric IDs need new hardware. Then there is the problem that many of us find biometrics too intrusive for day to day use.

Strong, two-factor authentication, such as a token or smart card, is another option. But again, these are not cheap, and confidence in tokens has been undermined by the RSA hack. As with any system that relies on a single gateway, there is also a single point of failure. Move to single sign on with tokens, and if your token system is hacked or circumvented, your systems are wide open.

Until industry comes up with a better, cheaper alternative to passwords, the best measures CIOs can take are to educate staff to use strong passwords, and to change them often.

And if all else fails, the schools break up soon. So there will be plenty of sixth-formers around who will be happy to take a summer job in the IT security department.

Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Pixlr data breach exposes over 1.9 million user records
data breaches

Pixlr data breach exposes over 1.9 million user records

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021