Although online safety through the use of strong passwords sounds like a viable safety measure for most sites and logins, strong passwords are still susceptible to hackers, malware, and phishing attacks. As more and more data breaches are reported, such as the recent incident of VeriSign being hacked, online users are constantly urged to change their login credentials. Many users and some so called internet security experts still rely on strong passwords to protect the online privacy and security of their information. As secure as they seem now, passwords continue to fail to protect against unauthorized access every day as more users rely on it.
Strong passwords can consist of a combination of letters, numbers and symbols. The higher number of characters in a password, the stronger the password is considered to be. These passwords are secure forms of protecting data, however internet technology is changing rapidly and security needs to also change and be more secure. Security such as out-of-band authentication can be used to add an additional layer of security to protect users and information stored online.
There are five things to consider when utilizing a strong password instead of a more secure solution such as out-of-band authentication.
Strong Passwords Are Still Susceptible to Data Breaches and Password Hashes
Some websites and organizations will sometimes store a password hash which is an encrypted format of a user's password. This means that even though you are utilizing a strong password it may be stored in an unsecure database somewhere. This was the case for one of the larger data breaches involving an E-commerce company where customer's emails and password hashes were stolen.
Strong Passwords Can Be Stored Passwords
Although they seem secure, there is always the chance for human error. Storing strong passwords in your web browser not only allows unauthorized access from within your browser, but leaves your password susceptible to hacking. By utilizing a simple root kit, anyone including non experienced hackers can access your data stored within your browser. All it takes is some perseverance and some reverse engineering and anyone could crack your strong password even under encryption.
Key Logging Software and Other Malware can Capture Strong Passwords
You may not store passwords in your browser, but just the very action of using one allows key logging software to siphon that data. Beyond key loggers there is plenty of malware out there which would steal your information through the same manner, possibly through allowing a hacker remote access into your system. Strong passwords may be recorded in a malware program and sent through the internet to a hacker's data base for your password to be used at a later time.
Social Engineering of Security Questions
Almost every time you sign up for an account you are required to state security questions which could be used to authenticate your identity later. These very "security" questions could be the downfall to cracking your super secret strong password which consists of 22 characters mixed between letters, numbers and symbols. By using social engineering and a bit of creativity, a savvy crook could figure out your security questions and gain unauthorized access. More and more users are seeing their passwords stolen through the use of these "challenge questions" that aren't always hard to guess if a hacker has some of your personal information.
Strong Passwords are Hard to Remember and User's Often Store Them in Places Easy to Access
Possibly the biggest part of failure in strong passwords is that they are much harder to remember than passwords that consist of only words or numbers. Imagine your login credentials always consisted of the passphrase flower1 but recently you have upgraded your password to make it stronger and to something more secure such as 5trG12oO. How are you ever going to remember such an outrageous password? It could be such a strong password that it actually prevents you from accessing your own account. Because strong passwords use more characters and symbols, most people write down their new secure pass code and leave it near their computer or stored on their computer. This is the most unsecure form of securing your account. An unauthorized user can simply find your password on or next to your computer and login to your accounts.
Now that we've reviewed the 5 pitfalls of strong passwords, it is plain to see that a more secure method is needed. A very secure and cost effective approach to securing against data breach or unauthorized access is through out-of-band authentication. This secures access to user accounts by transmitting a one-time password to the user through a separate network than the one where access is requested. By utilizing an out-of-band network such as a separate network to send an SMS text message, key logging and other malware is prevented from accessing your one-time password. Also, costs are kept low because almost everyone already owns and uses a mobile phone daily which doesn't require deployment of additional devices for users to carry.
As more incidents occur of strong passwords failing to protect against data breach and identity theft, users and organizations will look for a more secure solution. Out-of-band authentication is a strong form of authentication and will be adopted by many organizations and users in the future when it comes to protecting against unauthorized access. Out of band authentication is easy to implement, easy to use, cost efficient, and its effective in combat fraud.
Adam is a network security professional who believes out-of-band authentication is the most secure form of two factor authentication utilizing a one-time password. He writes to inform businesses about upcoming changes to government regulatory compliance and remote access security.