Educating Consumers Is Not A Secure Password Solution

By Vince Lee, ANZ Regional Manager for SafeNet

The Centre for Internet Safety at the University of Canberra and PayPal recently published aVince_Lee_Web_Portrait survey of over 1000 Australiansí password habits confirming what information security professionals have long suspected:

Ľ 77% of Australians have more than three online passwords; and
Ľ 63% use the same password across more than one of their    online accounts.

No surprises there, although I suspect that most Australians have many more than three online passwords to manage if you include the ones used by employees to access a VPN and corporate cloud applications like Salesforce, Microsoft Office 365 and Google applications.

Now letís look at the reportís recommendations:
Ľ Online service providers need robust password policies and procedures and to actively monitor accounts for anomalous behaviour; and
Ľ It is critical that Australian consumers are aware of the characteristics of strong passwords and the importance of having strong passwords and protecting them.

I donít have a problem with strong passwords. But I do have a problem with the idea that you can make consumers aware -- i.e. educate them -- about how to create and protect them. That is great advice for an individual user. But it is not good advice for an organisation that relies on the behaviour of a large number of individuals.

Requiring someone to use a strong password does not stop them from re-using a strong password. An organisation canít prevent users using the same Ďstrongí password to access corporate assets and insecure consumer websites, for example.

Organisations can educate people but at the end of the day we know that people will do what is easiest. Ultimately, organisations have to take responsibility for their own security.

Which is why Iím very surprised that the report did not even mention the use of multi-factor authentication solutions. These can take the requirement to think up and manage multiple strong passwords out of usersí hands and give organisations control over authentication. A good example is Google which now offers its customers a free SMS service to provide strong authentication, taking the onus of strong passwords away from the user.

These and many other cost-effective authentication solutions are readily available to every organisation regardless of size. So, I think itís about time organisations stop putting the burden on users and start taking more responsibility for authentication to their systems or services.

  Site Map