Password Security Requires Multiple Layers of Protection

NEWS ANALYSIS: What makes a password weak isn't just about its length or complexity. Protection such as encryption and two-factor authentication must be in place.

Password Security

All week, friends and family have asked me if I had heard about the story on the most commonly used password. It's a story that had tremendous media coverage (including in eWEEK).

The gist of the story is that "123456" is now the most commonly used weak password—surpassing the use of the word "password."

Although that story is good for a laugh or two, the password "123456" isn't the problem at all, in my view. In fact, I can use that password as securely or as insecurely as any other one. I know what you're thinking, and, no, I'm not crazy. Allow me to explain.

Today's hackers aren't typically manually going to a Website or a service and typing in passwords like "123456" in order to gain access; that's just not how attacks work. The modern hacker (and pen tester on the security research side) uses automated tools that typically include dictionary-type password-cracking tools. These are tools that will hit a given Website log-in form with every word combination in a dictionary (for example, every word in the English language). So whether you choose "123456" or the word "dog," it's just as easy to crack.

Going a step further, even if you have the most complex password in the world and you transmit it in the clear (that is, not protected with Secure Sockets Layer, or SSL, encryption), an attacker can easily sniff that password off the network. If your password is stored in the clear on your device or app, you have no chance because an attacker who gets access to the site, database or app can simply "read" the password.

Just having a single password to access a site, whether it's "123456" or the most complex password imaginable, isn't enough because it is still, in all cases, a single point of failure and weakness.

Two-factor authentication, which requires users to have a second password—typically automatically generated and sent via Short Message Service (SMS), which is in use on many popular Websites and services today, including Gmail and Twitter, is a must-have.

Though I don't recommend it, you could possibly have the password "123456" in use on a site that requires two-factor authentication and avoid being exploited. Simply put, the attacker could still input your "123456" password, but without the second factor, they still don't get access.

The other interesting thing about weak passwords is responsibility. I'm definitely not advocating that anyone use a weak, easily guessed password, but I've always believed that it is the responsibility of server and network administrators to protect users from themselves. As such, Websites and services should implement strong password policies. That means policies that simply do not allow a user to choose "123456" as their password in the first place.

My larger point is that the password should not be the lynchpin on which your life relies. There should be other layers, including encryption and two-factor authentication that must be in place.
As IT professionals, it is our responsibility to protect users and make sure that the password "123456" is not the weak link in our security.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.