After Yahoo!, we should all examine our password practices
Barely a week goes by without some high-profile story of a company being hacked and user logins being stolen, with the most recent example being Yahoo!. And while we may wish that passwords would go away, they’re going to be around for the foreseeable future. When so many web apps rely on passwords as the only login option, we have to protect ourselves as best we can by selecting strong and unique ones.
The peril of passwords
When you look at the analysis done on the Sony and LinkedIn hacks, you’ll see that more than 50% of the passwords that were published by the hackers had fewer than 8 characters, 50% contained only numbers or only letters, and only about 1% contained a non-alphanumeric character. Such weak passwords are relatively easy to crack, even if they’re hashed in a database when stored.
Of course, using weak passwords is only the first mistake most users make. The second is reusing the same password for multiple web apps and services. Once an attacker gets access to one service, they can then get into others — email, social media, online shopping, bank accounts, etc. Then, to top it off, users don’t change their passwords often enough.
While IT admins do their best to educate users, and journalists highlight the need for stronger passwords when they report on big data breaches, users still don’t listen.
The benefits of dynamic password management
But what if we could do the selecting and changing of passwords for the user? And take responsibility for choosing strong passwords that are harder to crack? Security – and the user experience – would be greatly improved.
The first step to making it happen is for businesses to implement a Single Sign-On (SSO) solution with dynamic password management. The beauty of dynamic password management is that it automatically changes passwords for the user, ensuring that passwords always remain long, strong and unique across every selected account.
In fact, the user never sees (or needs to remember) their web app logins. They just log in to the SSO solution and access their web apps from there. With SSO, passwords become more like the tokens and assertions that are used in federated identity standards, including SAML and WS-Federation.
Moving to an SSO solution with dynamic password management is certainly a step in the right direction. It protects the user by ensuring that if a large-scale breach does happen, then the stolen password is strong, unique and not reused across multiple services. And, since password changes are automated they can be changed far more frequently – reducing the window of exposure if a compromise takes place.
Want to learn more? Visit our website to discover dynamic password management in Intermedia AppID® Enterprise.