Long Passwords are now not enough

Rather than focus on increasing password length to boost security, organizations should look for cost-effective alternatives such as employing one-time passwords as a second-authentication factor. Advances in supercomputing, particularly parallel processing systems in graphics processing units (GPUs), make cracking of passwords by brute force a piece of cake.

Password cracking by brute force refers to the trial-and-error approach of attempting every possible combination until the right one is derived. Passwords with seven or fewer characters will soon be “hopelessly inadequate”. It is now recommended that passwords should now be at least 12 characters-long as a safer security measure.

The username-and-password application is the “first and only layer of defense” for many information systems in organizations today. Hence, while brute force attacks are the least sophisticated of attacks, they remain very effective. Probability dictates that the longer a password is, the more difficult it will be to crack. This is simply NOT TRUE. Any password, how long it is, can now be easily be cracked using simple password hacking tools.

However, more than just length, users need to consider the “depth and width” of the password. A secret code with depth refers to one that is not conventional or easily guessable, while width refers to the use of numbers and symbols alongside letters. Long passwords do not necessarily equate to strong passwords. Instead, good passwords rely on “complexity or the ‘strength'” of those passcodes.

Adopt two-factor authentication And while users can be educated to implement stronger and longer passwords, organizations should look beyond such measures as the only means of authentication. Passwords are often compromised because of poor user habits,on how some users jot down passwords on paper or make use of default and simplistic options. Malware also plays a part in stealing passwords from unsuspecting users.

Simply recommending that password lengths must be extended fails to take into account that passwords are one of the weaker authentication methods, and that this conversation emerges every few years as processing power increases.

Organizations should address authentication policies holistically rather than depend only on deploying longer passwords as the solution. To that end, technologies such as one-time passwords (OTPs), certificates and multi-factor authentication should be considered.

There are “affordable” offerings and products available in the market. In particular, multi-factor authentication is cost-effective, easy to implement and a ubiquitous practice in commerce such as two-factor authentication for Internet banking.

Information is the lifeblood of most organizations today and a small investment in security can prevent information loss that could potentially have a major impact on the business. Organizations can also tap biometrics such as retina, fingerprint, facial recognition and voice recognition to provide sound authentication mechanisms.

Making static passwords safer

The extent to which the enterprises should employ additional layers of security within their systems depends on the risk factors and business requirements.

[Businesses] need to look at the risk-cost analysis across the different functions of [their] organization and adopt a holistic and information-centric approach toward security before [determining] how to best secure [their] organization, both from the technology and financial perspectives.

Companies that opt to rely on long passwords may find it helpful to encourage users to adopt “passphrases”, adding that these read like a proper sentence and can be peppered with symbols and numbers to resemble alphabets.

Password composers to be “creative” by using “personally significant” words or phrases in atypical fashion. For example, you may want to derive your password from an acronym that’s meaningful only to you. Choose a line from a favorite song or saying, and use the first letter of each word as the basis for your password. Alternatively, take two short words with nothing in common but that have special significance to you, and combine them with punctuation or numerals, always remembering to use both uppercase and lowercase letters.