In October, SplashData scrutinized files containing millions of passwords stolen by hackers. It released its annual Worst Passwords of 2012 list. The number one worst password last year was “password”. VMC Senior Solutions Architect and Manager Stephen Crabtree knows the vulnerabilities a faulty password exposes. He and his team have created a test to help circumvent security issues.
Simply put, passwords give people access to hidden areas. There are many standards for setting up passwords and that’s why we often run across applications or devices that have different password requirements. Sometimes, this is a pain point for end users, as they are in and out of many types of systems; it can be very difficult to remember which password gets inputted where. Multiply that times several web sites, multiple devices and several application specific passwords, and you begin to comprehend why people understandably become lax with password protection.
However, mobile devices are important to protect because they move around and utilize wi-fi, where information is easy to gather with a sniffer. This vulnerability also potentially affects wired networks, as our current businesses often allow us to log into networks with our mobile devices. Thus, it’s important to strengthen security by password protecting a device. Password check tests are part of the mobile security suite for devices, applications, and/or systems that my team and I have developed. There are four tests: capability, presence, utilization, and strength.
Password capability is about determining whether a device can have a password – believe it or not, some devices don’t have this feature. This test also determines the number of password, or doors, that protect information on a device. For instance, whether there are secondary and tertiary passwords for banking applications on the phone.
Password presence is whether the option to have a password is turned on and configured and, if there, whether or not a password actually exists.
Password utilization is concerned with the ongoing maintenance and use of passwords, if users are changing their passwords on a regular basis, whether they are prompted to or whether they do it of their own volition. This test also checks whether the same kind of password is being used across other devices or applications.
We also check the password strength. It’s important to create passwords that are hard to guess – that’s why many systems prompt us to create ones with special characters. A password of “password”, for instance, is much easier to guess than a password like “FYrV#79!4”.
When we run this test for a developer or manufacturer, we walk down the list of tests and back up it with every credential for every application or system. Then, we explore the various ways to strengthen the password protection and make our recommendations.
Creating strong mechanisms around password protection is a relatively easy way to guard against security breaches. What steps have you taken to ensure your customers feel secure in entrusting your system with their information?