Hey CIOs, have you checked your password policies lately?
Odds are that you allow user-generated passwords that are eight characters in length or more. If that's the case, you'd better hurry up and modify your policy so it requires a password that's less easy to crack. Or, better yet, perhaps it's time to eliminate your user-generated passwords all together.
Deloitte's IT consulting arm is predicting that passwords that are eight characters long should no longer be considered secure due to processor speed increases and password-cracking algorithm advancements. Eight-character passwords that used to take months to crack using technology from a few years ago can now be broken in a fraction of the time. And according to Deloitte's research, this affects over 90 percent of user-generated passwords in use today. So it's likely that you are working at a company where an eight-character password is still considered to be secure.
And if you think that password "brute force" prevention mechanisms will prevent hackers from breaking your password, think again. In actuality, there are very few brute-force attempts going on across the Internet due to administrators limiting the maximum number of attempts of a username or password before a lockout period. Instead, hackers are finding their way into the authentication servers themselves -- looking for a hashed file that contains all passwords in an encrypted format. It's this file that the bad guys want to get. Then, once they have it, they can use specialized cracking hardware and software locally to decrypt your passwords in no time.
The consequences of insecure passwords are widely known, so I don't feel that I need to repeat them again. Suffice it to say, if your policies aren't modified and enforced as soon as possible, your entire network infrastructure is at risk. At minimum, I would recommend a policy change that requires passwords be at least 10 characters long, including the obligatory upper/lower case, number, and special character requirements to make it more complex.
But there are well-documented issues when attempting to elongate the life of user-generated passwords past eight characters. Current complex passwords are difficult enough for users to remember -- and adding an additional two characters makes it all the more problematic. You'll end up finding that users will begin to form bad habits when trying to generate and remember their passwords. Writing them down on a sticky note or using non-random and easy-to-guess passwords are two bad habits that immediately come to mind.
And it's this exact reason that security engineers have been desperately trying to get rid of the user-generated password for years. The password has served a purpose in the evolution of IT security, but its usefulness has come to an end. 2013 should be known as the time in IT security history where we see a major adoption of multi-factor authentication methods that incorporate several methods to authenticate users including tokens and biometrics.
Up until now, companies have been reluctant to implement multi-factor authentication, sighting hardware/software and end-user training costs. But it's high time we consider the user-generated password insecure across the board. So stop putting off the inevitable and start implementing your multi-factor authentication to rid yourself of user-generated passwords that put your data at risk.