Password creation policies are the enemy of secure passphrases say IT experts
The reasons for this, says Steve Watts, co-founder of the tokenless two-factor authentication (2FA) specialist, are actually more complex that Cameron Morris, the security developer notes.
"This isn't to say that Cameron is wrong - far from it - it's just that the reasons why passwords are coming to the end of the line in today's online environment are multi-faceted, with company password policies being only one issue of concern," he said.
"One of the other major issues we have observed is that people have great difficulty remembering more complex passwords than the six or eight alphabetic strings that most Internet users rely on. Because of this, they fall back on an eight digit passphrase that is usually a family member's name or place of birth, and which - unfortunately - are all too easy to hack using brute force password attacks," he added.
The problem with corporate password policies, the SecurEnvoy co-founder went on to say, is that they often force users to create complex passwords with a mixture of letters and numbers, with at least one of the letters being upper case.
The nett result of this, he says, is that users end up with a relatively complex passphrase that is difficult to remember and often results in the employee storing the passphrase on their mobile phone as an 'aide memoir' or - perhaps worse - writing it on a yellow sticky note which is then placed on their desktop monitor.
This, he adds, is the real issue that Cameron has picked up on: making passwords too complex means that the average user takes an easy option to help them remember it when they want to log on.
Watts explained that it is this experience that has pushed many organisations to go down the hardware authentication token path, forcing employees to tote the hardware token with them - perhaps on their key ring or in their purse.
A far easier option, he notes, is to go down the tokenless 2FA security route, using an employee's mobile phone as the medium for authentication. As well as being more convenient for staff than toting around a hardware token, tokenless 2FA can also be completely reconfigured by the IT helpdesk in real time, rather than having to wait for a member of staff to be sent a new hardware token.
"We welcome news that Cameron Morris has identified a shortcoming of password policies that focus only on passphrase composition, rather than actual strength. The Passfault software - which he has developed - highlights how easy it is to crack a typical password. Tokenless 2FA is, in our opinion, a far better option in terms of security and flexibility," he added.
For more on SecurEnvoy: http://www.securenvoy.com
Diese Pressemitteilungen könnten Sie auch interessieren
Inhalt des Workshops: Ohne Internet geht nichts, aber Cybercrime, Malware, neuartige Attacken, und Achtung: Malware, die auch von gut beleumundeten Seiten kommen...
Match & Meet: NovaStor bietet Backup- und Storage-Händlern eine neue Plattform zum Wissens- und Erfahrungsaustausch
Die Auftaktveranstaltungen zu NovaStors neuer Match & Meet Veranstaltungsserie finden am 03. Juni 2013 in Frankfurt am Main und Heidelberg sowie am 05. Juni 2013...
. - Erhalten Sie das neueste Update zum Thema Bekämpfung von Produktfälschungen Gefälschte Druckverbrauchsmaterialien sind eine ernste Bedrohung für Unternehmen...