Author: Lee Wetherington, LWetherington@profitstars.com
235. That’s how many passwords I have.
Correction. That’s how many different online accounts I have. I refuse to admit how many (or how few) passwords I have across my online accounts. And that brings us to today’s parting thought for 2014…
Humans can’t do passwords.
We just can’t. How many more breaches, SSL vulnerabilities, and nude celebrities do we need to see for this to sink in?
Humans can’t do passwords, at least not the right way. We’re supposed to make them strong by making them as long, unique, and unintelligible as cartoon cursing. But even if we make our passwords strong, it doesn’t matter, because we can’t remember them afterward when we do.
So we do what humans do. We use one (or just a few) passwords for scores of online accounts. Half of consumers admit to recycling the same passwords. The other half are liars: they recycle passwords too. Yes, I’m looking at you.
It gets worse. According to Javelin, the more online accounts we have, the fewer passwords we employ to protect them. People with up to 20 online accounts typically have one unique password for every two online accounts. People with more than 20 online accounts average one unique password for every three accounts.
So pervasive and worrisome is this phenomenon that the Faster Identity Online Alliance (FIDO), an organization of 150 payments and technology businesses, recently gathered to publish specifications for a Universal Authentication Framework—with the ultimate aim of wiping out passwords altogether.
In the interim, however, our problem is two-fold: not only do we have weak passwords, we only have a few of them guarding our most private assets online. Not good.
For financial institutions, the human password problem is prickly. First, passwords stolen at other sites can often be reused to access financial sites. Second, fraudsters are now circumventing the strong password policies of some financial sites by targeting email sites instead. From there, the fraudster resets financial-site passwords and uses social media sites to glean enough privately identifiable information to pass knowledge-based authentication challenges.
If you make your password policies too tough and unrealistic, you frustrate end users and practically encourage fewer unique passwords. If you don’t enforce strong-password policies, you leave systems and data more exposed. So, what to do?
For more information and suggestions on balancing security and usability vis-à-vis your password policies, see Javelin Strategy and Research’s excellent report, “In Search of a Better Password Policy.”
Happy New Year!
Stay up to date with the latest people-inspired innovation at Jack Henry.
Who We Serve
What We Offer
Who We Are