Simple passwords rule the day in mobile world
With IT not requiring safer pass codes and device usability a factor, finding of 80 percent of users choosing convenience not surprising
By John P. Mello, Jr.
August 20, 2013 — CSO — Nearly 80 percent of smartphone and tablet users choose simple pass codes to protect their devices from unauthorized use, according to an analysis released recently by a maker of mobile device management solutions.
While 85 percent of some 200,000 mobile devices analyzed by Fiberlink had their pass code feature turned on as required by company policy, most of those devices (93 percent) were using simple pass codes to protect the devices.
Fiberlink defined a simple pass code or PIN as a password made up of all numbers or all letters. Of the mobile devices using simple pass codes, almost three quarters (73 percent) had one with a length of four to five characters.
Only 7 percent of the devices analyzed by the company had a complex or alphanumeric pass code. Fiberlink defines a complex password as one made up of letters, numbers and special characters.
"IT is saying it doesn't have the desire to enforce complex passwords on a device that's so heavily balanced between personal use and corporate use," Jonathan Dale, director of marketing at Fiberlink, said in an interview.
The devices themselves may be contributing to the use of simple pass codes. "It's a usability thing more than anything," said Jamie Cowper, a senior director for Nok Nok Labs.
"The temptation is to go as simple as you can, because long, complex passwords are next to impossible on a small screen in a timely correct fashion," Cowper told CSOonline.
"The balance between security and ease of use has shifted a bit in the mobile space," he said. "You can't ask the same things of a mobile user that you might have done at a desktop machine."
Bill Carey, vice president of Siber Systems, a maker of a password management software, said that ease of typing definitely influenced password choice. "If you're at your computer, you're more inclined to use a more difficult password -- something with capital letters and numbers," Carey said in an interview. "But on mobile devices, people don't like typing on those so they're more likely to keep their passwords short."
[In-depth on mobile: The dangers of QR codes for security]
On the other hand, smartphones have standard features that can be used to authenticate a user that desktop and laptop systems may not have. "Location-based services can be used and biometric information -- voice and face -- as well," Nok Nok's Cowper said.
"Fingerprint sensors will be on these devices in the near future, possibly next month with Apple's iPhone announcement," he said.
Fiberlink also discovered that the industry which had the highest percentage of devices required to have their pass code feature activated was health care (97 percent), followed by professional services (87 percent), public sector (85 percent), consumer-retail (81 percent), financial services (79 percent), manufacturing (78 percent) and education (41 percent).
However, health care is in the middle of the pack when it comes to the number of devices that have alphanumeric or complex pass codes on them (4 percent). The public sector had the highest number of mobile devices with alphanumeric or complex passwords (18 percent) and education the lowest (1 percent).
Fiberlink's Dale said he was surprised that financial services ranked near the bottom of the table of industries that required its mobile devices to use pass codes. A trend in the industry may have affected that number, he hypothesized.
"Organizations are starting to enforce pass codes only for corporate data and not device data," Dale said. "Companies are putting more restrictive pass codes and permissions around the corporate data on a device and not caring about the pass codes on the device level."
"Let's face it, IT doesn't care about you getting into your phone to text and tweet," he said. "Since our analysis only looked at pass codes used to access a device, that trend wouldn't show up in our data."
With all the flack passwords have received as an authentication method, some commentators have predicted their demise.
Silber's Carey isn't one of those doomsayers. "I'm not sure that anytime soon there's going to be a complete alternative to passwords," he said. "There might some complements to passwords but not necessarily alternatives."
"There have been alternatives for awhile," Carey said. "But none of them seems to have caught on. I think there is a need for passwords and there will always be a need for passwords."
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.