August 11, 2015 -
This is a guest post by Ryan Wilk, director of Customer Success, NuData Security.
Imagine this scenario: Your friend’s birthday is coming up, and you’re about to hit the mall in search of a gift and then run some errands. Before you leave, you decide to check online for the gift you have in mind. Within just a few minutes, you’ve not only found it – you’ve found it at a great price. The website doesn’t have a guest checkout, though, so you’re going to have to create an account before you can buy the item and then go on with your busy day.
How do you handle this? It depends on your password user profile.
One Password to Rule Them All
Use the same password you use everywhere else? Yikes. But you wouldn’t be alone – 55 percent of online users do. Which means one password breach unlocks everything from emails to banking accounts to even medical information. The only thing you can do worse is to write the password down on a piece of paper (though opinions on that are changing, as fewer people would have access to a password that’s written down).
Two Tiers of Passwords
Do you use a “burner” password or variation on a theme for a website you don’t care about? Better, but not by much. Even if you have super-strong passwords that you use for sites like your bank, using a burner password for other sites still leaves you vulnerable. Just one password gives one more tool for hackers to leverage for hacking into other connected sites. Plus, in our example, that easy-to-guess password is still connected to your credit card, and no one wants to deal with a hacked card – even if financial services companies don’t hold the customer accountable.
Best Practices Password
Use a secure password? Even if it takes a little extra time, it’s the best solution, and it puts you in the minority. But what qualifies as secure? That’s been a shifting goal post for many years now. As hackers get more savvy and attacks more robust, our passwords have had to become ever more complicated. Using capitalization, letter substitution, numbers and symbols, and increasing password lengths make it almost impossible for human beings to come up with secure passwords they can easily use.
Enter random password generators and, of course, password saving programs. Does the computer you’re browsing on have your password manager? Are you even logged in? Is it even your computer or tablet? Despite their convenience, don’t get too trusting, as even password manager data can be hacked, as in the case of the recent breach of the popular service LastPass.
The truth is that none of these solutions are perfect, everyone knows it, and we’ve all being saying so for a long time. Not only do we know that we aren’t doing our due diligence when it comes to password security, but we’re sure no one else is either.
We can’t get rid of passwords – not yet. Internet users need a way to signal their intent from being an anonymous website visitor to active, legitimate party about to begin a transaction. For the user, that’s the login and the password. But for the business, a password alone isn’t good enough anymore to protect their business or their users. Companies need to look at the behavior that occurs in context with the password’s use and do this by leveraging user behavior analytics.
Pretty soon, which kind of password user you are won’t matter anymore because, simple or complicated, the password won’t be your gatekeeper. The password prompt will ask the question: Are you the real you? But it won’t be the password that answers that question. User behavior analytics will.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.