If there is one thing that sysadmins can guarantee happening on an almost daily basis, it is users forgetting their passwords. As passwords need to become more complex to avoid them being guessed, users struggle to remember them.
This is no surprise of course. Research has shown that passwords of 6 characters, especially those that only contain lowercase letters, are no obstacle to cybercrimnals. They can all too easily be cracked. Unfortunately, even though many users are aware that passwords must contain special characters, upper and lower case letters, and at least one number, far too many individuals still use simple and easy to remember passwords. There is a tradeoff between security and convenience, and all too often end users opt for the latter.
Ideally, for maximum security, dictionary words should not be included and passwords should contain 11 randomly generated characters, including upper and lower case letters, numbers and special characters. Companies are now learning than while complex passwords are inconvenient, that inconvenience is a small price to pay, especially when compared to the cost of dealing with a data breach.
Secure password controls are now being introduced by majority of companies
A survey conducted last year by Ping Identity suggests that the majority of companies have now implemented enhanced controls to ensure secure passwords are chosen by end users. 82% of respondents rated their company’s password controls as good or excellent, and claim their IT departments are forcing them to regularly change passwords to ensure hackers do not have long to crack them. 76% indicated they are required to change their passwords every 1-3 months.
While this is good news, the same survey revealed that password sharing is still common. Half of enterprise employees share their secure passwords between work and personal accounts. 37% of respondents said they shared passwords with family members and almost half admitted reusing passwords for work accounts.
A recent survey conducted by SecureAuth, a provider of multi-factor authentication systems, confirmed that passwords are now too complex for many end users to remember. 308 IT security professionals took part in the survey, and 85% said that their helpdesk was frequently contacted by users that have forgotten their passwords on a frequent basis. 37% of respondents said that employees were calling the helpdesk all the time in this regard.
A majority of IT security professionals believe that passwords alone are no longer secure enough to use by themselves to protect networks. 66% claimed they are now using multi-factor authentication controls.
Many would like to move away from passwords entirely, but unfortunately at the current time the technology that must be used to allow other, more secure user authentication controls to be implemented are prohibitively expensive. A retina or fingerprint scan may be ideal, but few companies would be willing to pay for the technology.
That said, over the next decade things are likely to change. Or so it is hoped. The survey showed that 91% of cybersecurity professionals believed that over the course of the next decade the password will cease to exist. Other more secure methods of user authentication will be introduced to replace the humble password and the cost of the technology is likely to fall sufficiently to make this a reality. However, for the time being, helpdesk staff are likely to have to continue to spend a considerable amount of time retrieving and resetting passwords.