We hear this question from time to time, so we might as well address it at the start of this section on Access Controls. While a password is considered similar to your ATM card PIN number since it’s something you know, the implications run a bit deeper.
Many organizations, thinking to increase security for valuable systems have looked into alternatives which require something you have, like a smart card or token, but these technical security controls tend to be expensive propositions when deployed to thousands of administrators… The even more expensive technical solution, which requires to record something you are, like your fingerprints, face recognition or iris scan have come down in price and even most entry level computers or Android phones offer some of these capabilities.
The issue comes down to infrastructure, support costs and common sense.
The average support cost for password resets is about $30. Single sign-on minimizes this cost factor. On-line password reset systems are also a great cost and time savers. If we increase the length of the password string and its complexity, we increase the security of our network for the small price of a minor inconvenience.
Security is not free, but it also is not a business hindrance…
In regards to this last statement, many corporate and government agencies security policies read something pretty close to this:
“Users must have the capability of changing their own password online.”
“Regular Passwords should be changed every 90 days or sooner.”
And last but not least, “Password construction must be complex enough to avoid use of passwords that are vulnerable to cracking or attack. Names, dictionary words, or combinations of words must not be used; not even if they contain substitutions of numbers for letters, e.g. s3cur1ty. Do not use passwords that might be easily guessed or subject to social engineering, e.g. data of birth, wedding anniversary, pet or partner’s name, favorite sport team.”
What do you think? Are passwords obsolete or too expensive for our internet connected world?