So in the last blog we evaluated "challenge questions" and I got a little soap-boxy (inner monologue, I can admit it!) - well, I am at it again friendly fraud fighters, this time with passwords.
12345678; LetMeIn; Password; Qwerty1 (or any variation of) – all examples of NOT good passwords, but study after study show that these are some of the most common used. Let’s take a look at why passwords simply aren’t secure.
Most consumers don’t ever want to change their password; security experts recommend changing at least every 45 days, but evidence shows that passwords that don’t meet certain standards can be hacked in seconds or minutes (even very secure ones can be hacked in weeks). And if you never change it, well....
Length-wise, a secure password should be a minimum of 14 characters. Try doing that on your smart phone (cringe); while 14 is the security recommendation, many sites only allow 8.
Complexity requirements are even worse; most sites don’t require complex passwords and some don’t even allow special characters even if the user wants to make a secure password.
Users continue to use things like dates of birth, pets, kids, etc. as a password when this information is easily found on social media and genealogy websites. (True story: A hacker was recently busted and sent to prison because the FBI found his stash of stolen info - the password he used to protect this gold-mine? His dogs name!)
Ever try to enter a complex, long password onto a phone app? Need I say more?
The list of password woes goes on and on. Good password security is hard on everyone, yet weak passwords presents the possibilities of everything from identity theft to fraud.
Consumers want security, but according to a new research report by Javelin Research, more than 60 percent of smartphone users admitted to reusing the same password on multiple sites. Frankly in my experience, this finding isn’t limited to just smart phone users. So what we’re telling people is: Make the password secure, make it long, make it impossible to guess, change it often, and balance that among the average of 10 accounts per user…Yikes! (Migraine coming on)
And if you’re thinking “but, we use one-time passwords!” Sorry to be the bearer of bad news; the same Javelin research report (and others) found that 40 percent of those who use one-time passwords (OPTs) receive them via text messages to their mobile devices, which are unencrypted and can be intercepted. And then there are forms of malware targeting mobile devices looking for OTPs. So, these may be viewed as more secure, but evidence indicates they may not be as secure as we think.
Passwords, simply put, are weak forms of security. So what other options are there? So glad you asked because there are a few in the form of biometrics. What may seem to some to be a futuristic proposition of using our retinas to access accounts is a reality today. Although, many consumers (myself included) may not be too apt to direct their smart phone camera at their eyeball to connect to an account, multiple options do exist that consumers accept and that make authentication so much more secure.
Among biometric options, the Javelin survey found that fingerprint recognition was the most widely preferred by consumers, followed by eye recognition, facial recognition, voice recognition, and palm recognition. Think about it - These are all things I have with me. I don’t have to create them, change them, make them complex, write them down (you know you who are!), etc. They are unique to me and I always have them with me. How handy is that? (except the eyeball scanning thing - not loving that yet...then again, no more creating / remembering complex passwords? Well, hello eyeball!)
In the next blog we will analyze various biometric options that any entity may wish to consider as they look at enhancing authentication methods and get away from using passwords and what you, the discerning security-conscience consumer, should expect.