You don’t have to be a savvy hacker to figure them out – “123456” and “password” have again topped the list this year. The good news is the prevalence of these two passwords in particular has fallen quite a bit, from 8.5 percent of all passwords in 2011 to less than 1 percent now.
As a password to an individual’s Facebook or Tumblr account, these are probably adequate. The accounts they’re “protecting” are low-profile, unlikely targets, and hackers wouldn’t really gain much from breaking into them anyway. It’s a different story when a user sets up a work-related email or credit card account – much more likely targets of attackers – using these easy-to-crack passwords.
Instead of using brute force and repeatedly trying passwords, hackers barely have to break a sweat or exert any effort. They can simply type in “1-2-3-4-5-6″ or “p-a-s-s-w-o-r-d” and they’ll be granted entry on their first try. A gold mine of information suddenly materializes right at their fingertips.
At first glance, network administrators appear to have a few different courses of action to prevent these types of weak passwords and shore up their network security. They could try employee education – teaching their workforce best practices when it comes to setting up their credentials. Or they could provide them with tools that both randomly generate secure passwords and then store them securely for easy recall.
The problem with each of these solutions is that they’re really just temporary bandages – they still don’t account completely for the human factor. An employee could still circumvent these processes, either deliberately, for convenience, or accidentally. Then the network administrator is back to square one – the network security vulnerability still exists.
A stronger solution for IT departments is two-factor authentication. By adding another step to the user verification process, beyond requiring just a password, the security of the account suddenly becomes much stronger. This is why nine in 10 global IT managers said they would plan to use one-time passwords (OTP) in 2014 as part of a two-factor authentication strategy to help improve their network security.
So why isn’t every IT department rolling out this seemingly ironclad method of verification across the board? The answer is simple. As is often the case with any issue involving network security, the conflict lies in the balance between convenience, resources and security. Simply, it’s not practical or expedient for every server or file folder to be accessible only through two-factor authentication.
At the same time, selectively protecting only certain files through two-factor authentication could leave an entire network vulnerable. As PC World’s Tony Bradley points out, “It’s like locking every door and window in your house except for one, and hoping a burglar isn’t thorough enough to find the one unlocked entrance.”
Bradley is right. And to elaborate on his point, one of the most glaring “unlocked entrances” a network can have is in its remote access infrastructure. Fortunately, some VPNs come equipped with secure enterprise management capabilities that include support for two-factor authentication and a randomly generated, one-time password sent to a user via SMS.
When faced with this additional hurdle, any hacker hoping to exploit a remote access vulnerability would be even less likely to successfully break into an account, even if a user made the mistake of setting a password to a laughably common one like “123456” or “password.”
Want to learn more about securing M2M communications? Register for our webinar “Managing Secure Communications in M2M Environments,” 2 p.m. EST, Tuesday, February 24, or download our new whitepaper:
In Managing Secure Communications in M2M Environments, we cover:
– How to choose a connection method that’s right for your application.
– How to configure end devices so they can perform authentication steps.
– How to manage VPN configurations and updates without human interaction.