Passwords ‘now at risk’ says IT expert
By Leon Gettler, Talking Business >>
ROBERT WILKINSON, CEO of Cyber Marathon Solutions, is warning that passwords are now very much at risk, thanks to machine learning.
Mr Wilkinson said it had become a continual battle for IT teams to get people to better secure their passwords.
He said the traditional advice on securing passwords has been how long the password is, whether it has an expiry date and how complex it is.
Now, however, a large number of companies like Microsoft are saying that might not be the best way to secure passwords.
“In this day and age, what you might be better doing is coming up with potentially shorter passwords,” Mr Wilkinson told Talking Business.
“Microsoft recommends shorter passwords because people will remember them. They still recommend some complexity in the passwords, and they also talk about not having them expire.
“The reason they say that is because people are people. If you have to sit there and remember a whole bunch of different passwords that are a mile long, you’re going to try to make it as simple as possible for yourself.
“So what happens is when you have those long passwords, you make them pretty simple so reasonably simple to guess, or reasonably simple for a machine to guess,” he said.
“So if you have a rule that says it has to be changed every 30 days, what people will do is have the exact same password and change the numbers which is also very obvious and makes it easy for them to be cracked.”
Passwords plus multi-factor authentication
Mr Wilkinson said passwords these days have to be part of a system which includes multi-factor authentication.
“You need to have user education to tell users why it’s important to have a password that is unique for the services they’re looking at rather than spreading it across every single thing they log into,” Mr Wilkinson said.
He said that while he suspects passwords “are not going away” there are other security options to passwords.
These include biometric identification from the phone, like finger prints or face scans, multi-factor tokens that can be put on key rings – and some companies issue people with digital certificates on their computers that authenticate them.
Mr Wilkinson said Microsoft ATP (Advanced Threat Protection), for example, includes vulnerability assessments in addition to anti-virus protection and built-in AI that allows users to spot threats that are emerging. This is a subscription service that comes with Office 365.
Microsoft prepares businesses with ‘ATP’
Microsoft ATP can also help IT and security staff by keeping track of what happens on a machine and categorising some of the things it detects.
“You can imagine if you’re a business owner and you have 100 machines trying to force feed stuff to your IT teams, you can start missing things,” he said. “What ATP can do is start prioritising those things and make it easier and quicker to respond to them.”
Mr Wilkinson said ATP incorporates a lot of automation and it can be integrated with other applications such as security or IT ticketing systems.
He said companies can deal with cyber security by having a plan to start with and implementing user education.
“That’s what most companies skip to their detriment,” Mr Wilkinson said.
“You need to make sure the users have an understanding of the types of issues they may face because not everyone is an IT person,” he said.
“It’s going to be a surprise for some people to see how easy it is to breach an organisation by working through a user.”
Hear the complete interview and catch up with other topical business news on Leon Gettler’s Talking Business podcast, released every Friday at www.acast.com/talkingbusiness.