Password Security Requires Multiple Layers of Protection
NEWS ANALYSIS: What makes a password weak isn't just about its length or complexity. Protection such as encryption and two-factor authentication must be in place.All week, friends and family have asked me if I had heard about the story on the most commonly used password. It's a story that had tremendous media coverage (including in eWEEK). The gist of the story is that "123456" is now the most commonly used weak password—surpassing the use of the word "password." Although that story is good for a laugh or two, the password "123456" isn't the problem at all, in my view. In fact, I can use that password as securely or as insecurely as any other one. I know what you're thinking, and, no, I'm not crazy. Allow me to explain. Today's hackers aren't typically manually going to a Website or a service and typing in passwords like "123456" in order to gain access; that's just not how attacks work. The modern hacker (and pen tester on the security research side) uses automated tools that typically include dictionary-type password-cracking tools. These are tools that will hit a given Website log-in form with every word combination in a dictionary (for example, every word in the English language). So whether you choose "123456" or the word "dog," it's just as easy to crack.
Going a step further, even if you have the most complex password in the world and you transmit it in the clear (that is, not protected with Secure Sockets Layer, or SSL, encryption), an attacker can easily sniff that password off the network. If your password is stored in the clear on your device or app, you have no chance because an attacker who gets access to the site, database or app can simply "read" the password.
As IT professionals, it is our responsibility to protect users and make sure that the password "123456" is not the weak link in our security. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.