Why ‘Password’ Is Still Used as a PasswordBy Samuel Greengard
It's fairly obvious that cyber-threats are increasing–seemingly on an exponential scale. While much of the focus for CIOs is on the enterprise and locking down servers, networks and all the mobile devices used within the enterprise, customer-facing security too often takes a back seat.
Too many businesses continue to rely on nothing more than a user name and password. Few use two-factor authentication as well as more sophisticated technologies such as fingerprint authentication, facial recognition and randomly generated codes designed for one-time use. Making matters worse, the more complex the password scheme, the greater the odds that a sizeable chunk of the population will write down the password on a sticky note or use the same complex password over and over.
Even with password tools such as 1Password and RoboForm–and the password generation and management tools built into modern browsers such as Chrome, Firefox and Safari–it's still a living nightmare. Many consumers simply toss up their hands and give up. The result? Passwords such as: 1234567 or password.
Then there's the problem of phishing and other social engineering methods. A new report from CBS News and Intel Security found that of 19,458 people who took a quiz, 80 percent fell victim to at least one fake email. Only 3 percent managed a perfect score. Incredibly, 94 percent of security professionals were also fooled.
The message for CIOs, CISOs and CSOs? Organizations must put more time, energy and resources into devising security tools and systems that ratchet up protection on the customer side of the equation. One company that does an excellent job with log-on security is USAA, which requires a username, password and PIN. What's more, its mobile app incorporates optional facial recognition and voice recognition–as well as fingerprint authentication. Many others, including American Express and Square, also offer fingerprint authentication on an iPhone.
Of course, biometric and other advanced authentication tools still require an underlying password. Yet, it's far more attractive to create a strong password when you don't have to type it into a cramped smartphone keypad every single time you log in.
Business, IT and security leaders should also consider adding two-factor authentication for any significant account changes. And there's a need to focus on designing email messages that better authenticate the company. It's still way too easy for scammers to create deceptive messages that look real. The CBS News and Intel Security study pretty much proves that. When the experts can't tell real from fake, something is very wrong.