Account security: moving past the password

Password is still the number one used password despite the fact that people are repeatedly told not to use it

bad password pin 1234

Despite the ongoing conversations about using more secure passwords and a different password for each account, people just aren't changing their bad password habits. Everyone knows that pass-phrases are better than passwords and that second-factor authentication trumps the complex pass-phrase, but few of us go so far as to create a different username and password for each of the many accounts we access on a daily basis.

Still, hackers are accessing critical information via stolen credentials, and weak passwords are a key factor in their success. I'm only guessing here, but I think it's fair to say that few employees are deliberately using easy to remember passwords across multiple accounts so that their employer will get hacked. 

Michael Fauscette, chief research officer of G2 Crowd said, "Especially for somebody new trying to manage their online experience, complicated things are hard to remember. We tend to simplify even though we think we are not. We use patterns that are repeatable and most of us are using the same word across many sites. Those are the easiest things to break."

Studies show that still despite all the things or people that have been hacked, "password" is still the most common password. "It’s so difficult to get people on board, and not having a password management tool sets you up to fail," Fauscette said.

[ ALSO: Top password managers compared ]

Security teams can enforce personal behavior and train personal behavior, but a password management tool takes the risk of human error away, relieving the person of risk by providing a singular way to create and store multiple passwords.

"The tool needs to support all devices and allow for a single way to work across all devices. It has to work across all systems," said Fauscette.

Quite honestly, I'm a little scared of password management tools. It seems quite onerous, and taking that initial step is beyond my comfort zone. A lot of non-technical people probably share my anxiety, which is why the tool is most effective if it is part of the property of the employer.

"You can make it automatic, but you can’t make people use it," Fauscette said. "It’s cultural, training. Some companies encourage but don’t provide the tool, but it is much better to actually provide it."

In an attempt to overcome the security challenges associated with passwords, companies are exploring all kinds of options. "Some companies have systems that force you to change your passwords every so often, but a password management tool would avoid that. If you have a system, you are the manager," said Fauscette.

Another technology that is gaining ground in the security industry is biometrics, which folks definitely have mixed feelings about as it's not impossible to copy a finger print even though it's more difficult than accessing a password.

Just today Telesign released a new report, "Beyond the  Password: The Future of Account Security,” which surveyed 600 security professionals across 15 industries. They found that the majority of companies plan to do away with the password in the next decade. The study surveyed security professionals and their views on password effectiveness, the impact of fraud, and adoption of other authentication tools such as behavioral biometrics.

Regardless of which solution you choose, you need to implement some solution that strengthens the security of your enterprise. Even the most well-intentioned and disciplined employees who actually make an attempt to create more complicated passwords are defaulting to some sort of discernible pattern, whether they realize it or not. And those are the ones that actually care about your organization being compromised. 

SUBSCRIBE! Get the best of CSO delivered to your email inbox.