Information Technology: What IT Can Do Now That User Passwords Aren't Safe?
The parade of revelations of passwords stolen from online services -- LinkedIn (where poor implementation meant nearly two-thirds could be descrypted), eHarmony, and Last.fm most recently -- has many workers and IT pros alike questioning the security of the cloud and the most prevalent way they have to secure access to accounts: passwords.
Following the leaks, LinkedIn and others stressed that people should not reuse their passwords, and they reiterated the standard advice to use complex passwords or passphrases. Unfortunately, users typically do only one or the other, but not both -- and frequently neither. The advice to not reuse passwords is even more important in the cloud, where user accounts are accessible from anywhere and the large databases of user credentials lure attackers to try to breach the systems.
Yet it’s clear that as users have dozens of online services that require passwords, the "use a different complex password for each, and change them regularly" advice may not be something mere mortals can do -- at least, not unassisted. Here are the strategies IT should consider in a world where users’ personal passwords can be stolen from their online providers, yet are probably also circulating at work.