ELIoT Pro: Does the complexity equals security? No!|#10
Why cyber security has to be easy to use? Complex and long passwords do not appeal to people since they are difficult to remember. Such systems burdened with challenging security mechanisms are less likely to be used by users.
Bad password habits
Users are accumulating more and more passwords, and many of the recent breaches are the direct result of their compromise. The 2019 Global Password Security Report revealed compromised passwords are responsible for around 80% of hacking-related breaches. That conclusion confirms the Verizon 2019 Data Breach Investigations Report and Google in its New Research: Lessons from Password Checkup in action: 316,000 of users were utilizing already compromised passwords. Among the worst password habits are:
1. Writing down passwords
2. Re-using the same one for all systems
3. Using easy-to-remember words or phrases
4. Creating shorter access keys
5. Seldom passwords’ change
These are a direct consequence of the overload of passwords we are all being asked to use on a regular basis. With way too many passwords to different services to remember, people often choose weaker passwords that are less secure, or use the same passwords for multiple accounts.
Also, there are several factors which influence passwords’ predictability:
1. Similarity to Default Password
2. Similarity to Username
3. Passwords containing Dictionary Words
4. Passwords containing Keyboard Patterns
More on that you can read in considerations on password length and complexity on Infosec Resources.
Long or complex passwords?
Long or complex passwords?
It may seem that a combination of approaches might work better: lengthy and fairly complex passwords.
- Lengthy – Short length passwords are relatively easy to break, so the idea is to create lengthier ones for added security and to make them less predictable. Richard Boyd, a senior researcher at GTRI says, “Eight-character passwords are insufficient now… and if you restrict your characters to only alphabetic letters, it can be cracked in minutes.”
- Strong and complex – Strong passwords are still key. Security experts agree that upper and lowercase alphanumerical characters are good practices for increasing passwords strength and making it capable of resisting guessing and brute-force attacks. In order to add complexity without compromising ease-of-use, users could modify passphrases by inserting spaces, punctuation and misspellings.
However, we need to remember that each system is as strong as its weakest link. And Mr. Michael Chertof, United States Secretary of Homeland Security from 2005 to 2009, talking to CNBC has called passwords “the weakest link in cybersecurity”:
“A closer examination of major breaches reveals a common theme: In every “major headline” breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.”
Mr. Michael Chertof, United States Secretary of Homeland Security from 2005 to 2009, talking to CNBC
The National Institute of Standards and Technology in US Department of Commerce – NIST (www.nist.gov) now recommends banishing forced periodic password changes and getting rid of complexity requirements. The reasoning behind these changes is that users tend to recycle difficult-to-remember passwords on multiple domains and resources.
But the NIST recommends removing all password complexity rules, they just create a false sense of security.
“… Clearly, your users aren’t going to take the extra step to protect their digital identities if it makes remembering passwords harder.”
Long or not, complex or simple – when stolen it does not matter how complicated passwords are. Passwords can be divided into two categories: those that have been stolen and those that will be stolen.
New approach to cyber security by Cyberus Labs
New approach to cyber security by Cyberus Labs
This premise is a common misunderstanding about cyber security. Hard-to-use, complex multifactor authentication mechanisms discourage people from using them. On the contrary, Cyberus Labs’ solution takes away all those complexities making it easy-to-handle tool for everybody. We decided to provide a solution that is both: easy to use and highly secure at the same time.
All in all, one doesn’t need high-level of complexity to feel secure in the cyber space.
ELIoT Pro’s Human-to-Machine component provides with a truly secure user authentication experience and verifies both sides of an online transaction, eliminating malicious or spoofed website attacks. Our out-of-band transaction confirmation mechanism eliminates “man-in-the-middle” and “man-in-the-app” types of cyber-attacks.
Check out our newest video to find out about our new approach to cyber security.