Tuesday, December 14, 2021

Forgot Password?

Forgot Password?

-      Santulan Chaubey

Abstract

Managing passwords is a big challenge to the digital users. Generally, an average user manages 10-15 applications related to banking, office, social media, etc. on daily basis. If the password management policies are strictly followed, around 300 unique passwords per annum are to be created by a user and remembered. It is just impossible for a normal human being.
Security and privacy are the primary factors governing the design and architecture of digital systems. Digital solutions are designed with utmost care and diligence to ensure desired performance, user experience, safety, security, and integrity of user data. User-Password leaks are one of the major security threats.

 Generally, it is observed that users prefer serene access to the digital apps and therefore use easy to remember password giving equal ease to the hackers to access account. Using one password for all applications or having many easy passwords to remember are favorite to many users. It is generally believed that User Experience is reduced when a complicated password is forced to remember. Sometimes, in panic situation, users fail to remember the right combination of password. Users of digital applications must be aware of the risks involved in easy to guess passwords.

 

The best practice in managing passwords is to remember it. No trace of the password is to be left in any form by the user. A strong password should be a combination of 12-16 characters having at least one upper case, one special character (,:!@#$%^&*) and one number. In addition to this, a user should also preclude easy guessing of the password by the hacker. Therefore, a user should also avoid name, surname of spouse, date of birth, pet’s name, vehicle number, etc. The strongness of the password is measured by the time taken to break it. Following figure shows indicative time taken to crack the password.


Figure 1 - Data Source from HowSecureismyPassword.net

Despite of knowing risks of losing data, money, reputation, most of the users manage passwords in very casual way. Various studies made on behavioral patterns of the users on making password secure suggests that the users understand the risk, but ease of functions overweight the risk factors in most of the cases. Following table shows the popular methods of managing passwords.

Storage of Password

Using Passwords

Sharing Passwords

On a paper (Home)/

On a paper (Wallet)/

Password Manager (Local Computer)/

Password Manager (Cloud)/

File kept on Cloud Storage

One Password used for all accounts/

Little variation in same password/

Password is not changed until forced to change

Official Applications:

Subordinates, Write on the white board,

Office Colleagues,

Close friends,

Personal Financial:

Spouse, Close Relatives

Social Media:

Not shared with any one 😉

It is concluded that behavior of the users is difficult to change in larger set of users. Fortunately, Multi Factor Authentication (MFA) is now implemented in most of the digital application. MFA does not necessarily remove the requirement of password, but it adds another layer of authentication giving cover to a possibly weak password.

Popular emailing service providers like Google, Microsoft, etc. does not provide MFA by default. However, user may upgrade the authentication level to MFA. Digital Application not providing MFA may be avoided by the users.

Single Sign On (SSO) is another technique used by many applications solution provider to access multiple applications through single authentication process. Combined with MFA, SSO is a proven solution which reduce the burden of user in remembering many complex passwords.

     Gartner’s Market Guide for User Authentication predicts that around 60% of the large and global enterprise will deploy MFA supported with Access Management tools by 2023. Lots of research work is underway to authenticate the user by analyzing its biometric, physiological, and behavioral attributes using Machine Learning Techniques for a flowless access system. Gartner further predicts that around 40% of large companies may offer such system by 2023. Therefore, digital users may be sanguine that in near future, the burden of remembering password may be reduced to a great extent.

     It needs high level awareness and discipline for the user in using cyber space. The thumb rule is – nothing is safe when you are online or dependent on cloud or external infrastructure. Prevention is better than cure.  Following best practices will save the users from a possible chance of getting password compromised.

  • Avoid the digital application not supporting MFA and SSO.
  • Authenticate yourself only when you are sure that https:// is the starting point for a web-address.
  • After consulting with local expert, a password manager may be a good choice though not recommended for financial / banking operations.
  • Add “,” Comma in some of your password combination. It is used rarely. But it is capable of disrupting hacking process for a long time.
  • Don’t accept proposal of the browser to store the password.
  • Use password generator to generate a good strong password. In case, you have access to development team get in-house password generator developed with a key only you know. It will further reduce the chances of compromise of password. In case, you want to experiment with in-house password generator, the author may be contacted.


Posted by at No comments:
Subscribe to: Posts (Atom)