Choosing safer passwords can be a complex task

Online users should use a two-factor authentication which substantially improves security, says Gemalto's Neil Cosser.
Online users should use a two-factor authentication which substantially improves security, says Gemalto's Neil Cosser.

The golden rule for online passwords is that they must be easy to remember but impossible to guess. Passwords have to be changed regularly. If a password is complex enough it can be changed every three to six months.

This is the word from Antonio Forzieri, EMEA cyber security practice lead at Symantec, who says passwords can present a "painful" user experience because of the endless battle between the administrator and the user.

"When selecting passwords, the organisation's administrator has to ensure the user chooses a combination of words, numbers, and alt codes.

"Once these are selected, the administrator still has to further ensure that it's not the same password as a previous one, prior to giving approval. In the end the administrator frustrates the user to a point where they have to choose a complex password, which leads to them having to write it down, to ensure they remember it and this is where the risks lies," asserts Forzieri.

Although security experts are often advising online users to change their passwords regularly to safeguard against hacking, British intelligence and security agency Government Communications Headquarters (GCHQ) has advised those using online passwords to do exactly the opposite and keep away from changing their passwords often, as new passwords are likely to be forgotten or written down.

"The more often users are forced to change their passwords, the greater the overall vulnerability to attack. If a person is constantly changing their password, the chances are that it will be written down because of the difficulty in remembering it," GCHQ states on their Web site.

The company says the problem is that administrators don't take into account the inconvenience to users - the 'usability costs' - of forcing users to frequently change their passwords.

The Communications-Electronics Security Group (CESG), which is part of GCHQ, now recommends organisations do not force regular password expiry as they believe this

reduces the vulnerabilities associated with regularly changing passwords, while doing little to decrease the risk of long-term password exploitation.

"Attackers can often work out the new password, if they have the old one, and users, forced to change to another password, will often choose a 'weaker' one that they won't forget" explains the company.

Sheldon Lyne, general manager: operations at Entelect says he agrees with GCHQ to a degree because administrators tend to confuse a user to the point that they start writing down their passwords on pieces of paper or sticky notes that are pasted above their monitors, defeating the purpose of secure passwords.

"This still opens the user up to the threat of someone learning their password and then gaining access to all of their accounts.

"Even if users are choosing passwords that are similar, it would still require a would-be hacker to take that additional step to attempt to discover the new password," he asserts.

Neil Cosser, Identity and Data Protection manager for Africa at Gemalto,says GCHQ's advice does not decrease the importance of changing our passwords regularly but rather highlights that when trying to maintain an ever-changing list of passwords, users can adopt habits which increase the risk of their passwords falling into the wrong hands.

"It's important to focus on the benefits of using dynamic passwords and the solutions which allow them to be used effectively by avoiding the bad habits often adopted by users.

"The negative aspect of changing passwords all the time is it makes it difficult to remember them - more so when different services and sites are involved. There is a strong temptation to fall into the habit of using a pattern that becomes easier to remember - like using numbers or dates - however, this also makes it easier to hack as well," points out Cosser.

Although Forzieri disagrees with the GCHQ research, he acknowledges that changing a password as regularly as monthly or every few weeks for instance, can expose the user to some risk because they will start choosing simple passwords.

"When we set passwords we should imagine in our minds that every hacker is able to get hold of a copy of a database of passwords and use algorithms to guess our password. If you take too long to change your password, sooner or later the hacker may eventually get it, however, changing it to another complex password may prevent this," he observes.

Over and above using passwords, Cosser suggests adding a second-factor authentication to substantially improve security.

"The two-factor authentication process is based on One Time Password (OTP) and provides a strong level of security, however, the level of security will depend on the channel used to deliver the OTPs", advices Cosser.

See also