Security passwords endure, despite their many pitfalls, with some analysts estimating the average person has to remember 27 different passwords. But passwords are hardly the best line of defense against hacks and other cyberattacks.
New research from Intercede, conducted by Vanson Bourne, finds that security passwords’ lack of reliability in defending against a cyberattack is far from a problem only for individual consumers.
According to the data released last week, a whopping 86 percent of system administrators (sysadmins) use only basic username and password authentication measures to protect corporate accounts.
It’s important to note that the sample set was small — just 84 survey respondents across organizations with at least 1,000 employees in the U.K.
But the report may highlight a deeper issue at work: businesses failing to understand just how at-risk they are putting themselves when it comes to cybercrime. According to the survey, half of respondents acknowledged that their user accounts within the organization were “not very secure.”
Seventeen percent said they aren’t using complex passwords, but separate analysis suggests even credentials with all of those punctuation marks and capitalizations aren’t helping to safeguard systems. According to recent analysis, it takes less than 72 hours for a cybercriminal to crack such a passcode.
Intercede and Vanson Bourne’s report also identified retailers as the businesses that are lease secure, with 92 percent of retailer sysadmins saying passwords are their top line of defense, followed by the manufacturing sector at 82 percent.
But even in financial services, just a quarter of survey respondents said they are using sophisticated security measures like virtual smart cards and PINs.
“Sysadmins effectively hold the ‘keys to the kingdom,’ and relying on username and password authentication is a bit like relying on a basic Yale lock to secure your front door,” said Intercede CEO and Chairman Richard Parris in a statement. “Even the least security-conscious of us also bolt the door with a five lever mortice lock and many go much further. In today’s age of the hack, when compromised passwords are the root of the vast majority of security breaches, U.K. businesses clearly need to do much more — it isn’t simply their data that is compromised; it’s ours.”
Separate analysis announced in a news report last week also highlighted the weakness of passwords, as well as some of the seemingly more secure alternatives.
An investigation by The Daily Mail and Germany-based Security Research Labs found that not only can passwords be easily cracked, but more sophisticated technologies like facial recognition and fingerprint scanning are also easily cracked.
Keiron Dalton, global program senior director at cybersecurity firm Aspect Verify, commented on the investigation, the results of which may have significant implications for how businesses move forward in their cybersecurity strategies.
“These kinds of security technologies do have benefits over conventional passwords, whose weaknesses are demonstrated by recent research from Aspect,” he said, noting that the company found 88 percent of individuals who have experienced some form of fraud in their bank accounts in the last year noted they had to use a password or PIN to log in to those accounts.
“By contrast, the benefits of fingerprint and facial expression include ease of use and reduced vulnerability to basic social engineering, [but] they are also open to rudimentary workarounds,” Dalton continued. “For example, facial recognition technology usually looks for blinking as a way to ensure that it isn’t simply being shown a picture of the intended person.”
In the Daily Mail’s investigation, however, a security consultant faked this “blinking” by quickly placing a pen in front of a picture of a face, ultimately fooling the security measure.
According to the Aspect Verify senior director, the solution to these problems exists within the systems themselves — not in forcing end-users to handle the burden of security.
“The bare truth is that [the] more parts of security that you leave on the customer’s side, the more friction you introduce into their experience and the more open you leave your system to gamesmanship and social engineering from malignant actors.”