The End User’s Dilemma
It is accepted now by business professionals and security practitioners alike, that identity theft and stolen credentials is a widely used vector for breaching organizations around the world. Passwords are still the most common form of credential used while also being the most abused method of authentication.
As organizations have required their users to provide higher and higher levels of password complexity with little or no uniformity between organizations, end users are required to track five, ten, twenty, or more login credentials. Best practices for password suggest at least eight characters, with uppercase, lowercase, numbers, and symbols utilized. It is also suggested that you changed the password at least every ninety days while not repeating the password again for at least four generations of passwords. Add in that you shouldn’t use birthdates, social security numbers, proper names, or really, any word from a dictionary and, oh yes, make sure that each site has a unique username and password so that if one is compromised, all of you identities will not be compromised. The situation, as presented like this, is untenable.
So the end user does what she must to do her job. Likely this means, either using one username and password for everything but then not every site has the same requirements. So that if she has a symbol as required by one site, but not allowed to use symbols by another site, she ends up being forced to remember a few variations and most likely just writes them down somewhere, either on her computer or on a piece of paper at her desk.
This defeats the purpose of implementing password security because if someone can walk over to her desk and acquire her passwords, non-repudiation and plausible deniability are thrown out the window. If a breach is traced back to her account, it can be difficult to show intent or complicity in the act of allowing the breach to occur.
Biometrics, OTP, and certificate-based authentication mechanisms are significantly more secure than passwords but all have struggled with supplanting passwords as the credential of choice for the vast majority of organizations and end users.
Come by PasswordBank to find out more or stay tuned until next week...