Securing Online Accounts

Executive Summary

Principal, Cyber Security
March 2015
 

Online accounts of all types continue to proliferate.  There are accounts to order goods and services online.  There are accounts needed to read online subscriptions.  There are accounts to upload and download personal information including items such as photos.  

Regardless of the purpose of the account, however, all types include the need for both authentication and authorization.

Authentication is the process of proving who you say you are to a system.  Authorization is the process of the system granting you the rights to use that system.  Taken together, they provide access to online accounts and in theory only allow the authorized user to access their account.  

Identifying users via an account ID and password is the most common user authentication and authorization scheme in use today.  The password is a string of characters that serves to authenticate the user by making them provide something they know.  However, this scheme is also one of the weakest given how poor passwords are often selected, used and managed.

For better or worse, passwords do not appear to be going away any time soon.  They continue to exist and proliferate as they balance user convenience with some resemblance of security for a wide range of software applications.  

According to most reports, the average consumer has between 25 to 30 online accounts they utilize on a regular basis – all of which require some type of password.  It is quite unreasonable to expect each of those to be unique and to follow the various strong password rules implemented at multiple websites.  Moreover, often lost in these discussions is that whoever is running the online account for the organization in question bears responsibility to properly store and manage user passwords.

So what can be done?

Let’s try to look behind the monitor and uncover what is going on in a world full of online accounts featuring single-factor authentication schemes centered on user names and account passwords.

• What are the best password protection mechanisms?
• What are effective techniques a user can implement?
• What is on the horizon to replace passwords?

These and other questions have a significant impact on whether a specific account will be cracked exposing a user to various illegal credential exploitation activities such as Identity Theft.