Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Passwords Stolen Passwords and Comfort Over Security

Stolen Passwords and Comfort Over Security

This week a large scale password theft was exposed and widely discussed. The majority of these passwords came from very heavily used sites like Google and Facebook. The LA Times discussed the findings around the passwords themselves and highlighted that "...as expected, many of the login credentials are no more complex than "1234.'" The article goes on to say:

"Users are creating easy-to-crack passwords, but SpiderLabs blames companies, not users, for this problem.

"If our hypothesis is true, then the inevitable conclusion is that people still choose comfort over security," the team said in a blog post. "If you don’t enforce a password policy, don’t expect your users to do it for you."

So how can you create a better password? Here's a few tips:

  • Use capital and lowercase letters
  • Use letters and numbers
  • Use words not found in the dictionary. For example, instead of "apple" go with "aapl"
  • Replace letters like "O" and "E" with numbers like "0" and "3"
  • Use long passwords

If you apply all of those techniques you can take a simple password like "thisismypassword" and turn it into something a little more complex like "th1ss1smYypa4sSsw0rdD.""

Asking users to create, remember and use passwords like "th1ss1smYypa4sSsw0rdD" is not a scalable security strategy, but the point the article makes regarding users choosing comfort and convenience is a very real challenge. This story speaks to the absolute requirement for transparent, noninvasive authentication that is still strong, and involves more that a direct match or mismatch of input. This has to happen without creating complexity that will deter end users.