Why a Simple Password Reset is Not Enough

Recently, a number of Amazon account holders received e-mails proposing a password reset out of “an abundance of caution.” This was a result of routine monitoring, in which Amazon discovered a list of e-mail addresses and passwords that had been posted online. Whilst the list was not Amazon-related, experience has shown that users regularly re-use their passwords across multiple websites. As such, Amazon sent out e-mails to all users whose addresses and passwords were on the list, with instructions urging a complete password reset.

Password

Whilst Amazon itself wasn’t breached, it is certainly noteworthy that its usual surveillance processes unearthed this list of usernames and passwords, which had likely been collected by hackers through previous breaches of other websites. Amazon’s response to the find is notable based on the fair assumption that many people use the same password across many different sites, and that the usernames (or maybe just e-mail addresses) were common to current Amazon users.

Amazon recommended using a virgin password that hadn’t already been used elsewhere. However, this doesn’t protect one from the fact that passwords get stolen, not just cracked by brute force, so it’s particularly important to use multi-factor authentication (which Amazon and many other sites now provide, and is offered by Centrify for corporate users), so that in the event the password IS stolen, it’s protected further by a second ‘factor,’ so the bad guys still can’t get in.

passwords on sticky notes smallRelying solely on password-based protection is a huge risk, and as I have said many times before, passwords are no longer fit for purpose. If we haven’t forgotten them because we are forced to create an elaborate password made up of a complex string of random characters, then the likelihood is that we have written them down somewhere or even shared them with a family member or work colleague. A recent Centrify survey found that a quarter of people (26%) have more than 30 passwords, but that most can only remember between two and five, and over half (52%) of respondents admit to sharing passwords with their spouse.

The problem is that whilst you are sharing passwords with your partner, the risk of them falling into the wrong hands is increased, and the chances are that someone else is either sharing your passwords or using them elsewhere online. Ask any IT help desk how much time they spend having to reset passwords and they are likely to tell you it happens far more often than anyone realises. The time IT staff spend handling user accounts across different identity stores is time taken away from focusing on more pressing security projects.

touch id 2Single sign-on (SSO) allows a user to enter a single username and password to logon to multiple applications, and helps remove the challenge of keeping track of passwords. To provide further protection, it is important to shift to multi-factor authentication (MFA), such as combining the password with biometrics or a PIN code. SSO significantly reduces the time IT needlessly spends resetting passwords, and when delivered through an Identity as a Service (IDaaS) solution, authentication policies, such as the use of MFA, can be enforced across an entire organisation.

Pressure is increasing on companies to use MFA for administrative access too, as seen in the recent announcement of Version 3.2 of PCI DSS (Payment Card Industry Data Security Standard) – “A significant change in PCI DSS 3.2 includes multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data.”

The global MFA market is predicted to reach more than $10 billion by 2017. Using MFA and implementing SSO to avoid users having multiple passwords and usernames is a positive step towards keeping data secure. It’s time we reset our security thinking and not just our passwords!

More information on how Centrify can help with SSO and enforce MFA for both end users and privileged users can be found here.