Monday, 5 June 2017

Is the Password Still Relevant to Control Identity and Access to Your IT Systems and Data?

A lot of people believe that the password is an invention of the age of computing, a necessary part of securing IT systems from hackers and other malevolent forces. Many companies have employees who u

A lot of people believe that the password is an invention of the age of computing, a necessary part of securing IT systems from hackers and other malevolent forces – intentional or unintentional. In truth, the password is about as old as human civilisation.

Access to certain areas of a settlement such as the area where powerful or valuable people live or work, or even things like storerooms and armories, were often protected by guards who would only allow passage to those who stated a secret phrase. The age of the computer may have changed typical secure passwords from ‘The Horse Rears at Dawn’ in AD17 to ‘HoRsE1One1ReARs@@DawN0232’ in AD2017, but the concept is still the same.

The secure password has endured for millennia – but is its time at an end?

The problem with traditional passwords is that the computer age brought about…well…computers. In the days of Ancient Sparta or the Roman Empire, you couldn’t approach a guard and try out 1,872,130,000 different passwords or phrases until you got it right. A computer, on the other hand, can use this brute force method as a trial-and-error approach to breaking into passwords. Viruses and keyloggers can steal passwords from inside a computer without the user every knowing, too. As if security wasn’t enough, people are very prone to forgetting passwords and needing reminders or resets.

Statistics from 2015 show that 21% of people use passwords that are over 10 years old, and 47% of people use passwords that are at least 5 years old. Even better news for hackers and cybercriminals are that 54% of people use 5 of fewer passwords across their online life. This means that one data breach allows hackers access to account after account after account like a domino effect, a cyber-Tsunami of catastrophic breaches.

This is a problem not just for end-users and consumers, but for businesses too. Many companies have employees who use the same passwords for various areas, meaning that a company-wide data loss or theft is one tiny breach away.

This raises the question. Is the password still relevant to control identity and access your IT systems and data?

The answer is well…yes… but probably not for very long.

Passwords are swiftly falling out of fashion in favour of a new technology: biometrics. Biometrics use unique biological or biochemical identifiers as proof of identity. Many of us already have this technology on our modern smartphones. Phones like the ultra-modern Google Pixel allow users to log into their bank or credit card accounts, as well as some other security-conscious apps, using the fingerprint scanner on the back.

This is far more secure than traditional passwords. Apart from fingerprints, biometrics can also use unique biological identifiers such as the shape of the ear, the iris, the retina, the face, the tiny details of the palm, and the chemicals in the oils on our skin to ensure that the user and only the user can securely access an account or area. There is even technology in development that can identify a person on their odour.

This is far, far more secure than a password and is almost impossible to forge. Imagine trying to hack into a company’s database when the key you need to get in is the biologically unique body odour of their IT admin? Not even the top scientific labs in the world can do that yet.

The expense of this biometric technology currently varies significantly. Biometric fingerprint scanners or iris scanners are relatively inexpensive when compared to more complex methods such as body odour or DNA matching. So, it stands to reason that how relevant passwords are to controlling identity and access to your IT systems and data should correlate directly with the value of those systems and of that data.

For example, if you are a lone trader or run a small grocery store then you’re probably safe keeping the password method of encryption and defense. You should still, of course, follow the annoying yet useful Capital Letter, Lower Case Letter, Number, Unique Symbol combination method of password security and make sure that your passwords are changed relatively frequently, as well as being different for each device or account.

For larger amounts of data, more valuable data or more sensitive data, larger companies and industries will soon find that passwords are no longer relevant and are going the way of the Steam Engine and the Biplane. Biometric defenses allow employees to not only have very tightly controlled access, but that access can be revoked on a person-by-person basis instead of changing the password any time an employee leaves the company or changes access level. It also means that no-one can forget their password – as is insanely common, even in this day and age.

There are, of course, downsides to replacing passwords with biometrics. If a biometric ever gets stolen, it’s like having the same password for everything. With your fingerprint spoofed, a criminal can access everything you are. Bank account, government gateways, building access, and even access to a biometric-secured car. A fingerprint can never be replaced, never be changed. Once a victim, you will spend the rest of your life unable to use biometrics for that body part.

Even worse, cheaper fingerprint scanners use electrical signals to plot the ‘ups’ and ‘downs’ of the fingerprint. Hackers can scan fingerprints left on items with relatively inexpensive scanners and then use those to trick the receiving scanners. There will always be ways a dedicated, motivated criminal can gain entry to biometric-protected IT systems. The trick is to make it unprofitable for the attackers to do so. Breaking into normal cell phones using this method is more expense and hassle than it’s worth, which is why fingerprint Biometrics work so well for personal devices. But is that true for businesses of various sizes? Not always. Once again it depends on the value of the data.

So, is there a middle ground? Two-step verification – also called 2 Factor Authentication – increases password security, and temporary passwords sent by SMS from a central command are also very secure. These could even be used in conjunction with biometrics to protect IT systems, access, and data. There is no law stating you can only use one type of security. In anything, it is advisable to have as many as is practical.

One thing is for sure – passwords are still viable and relevant, but it is extremely unlikely that will still be the case in 5 years’ time. Perhaps even less. All but the smallest and data-light businesses will soon be moving away in favour of easier, more secure alternatives.

If you would like help or advice with IT security for your business then get in touch with our IT Security experts today on 0131 603 7910 or via our Contact Page.

 

Photo credit: Foter.com