Gartner report on People & Passwords

"It won't happen to me" seems to be the behavior exhibited by US consumers in light of the Gartner report entitled "Consumers Don't Want to Change the Ways They Manage Online Passwords". The findings are unlikely to come as a surprise to any security professional.
'Two-thirds of U.S. consumers surveyed use the same one or two passwords for all Web sites they access that require authentication,' said Gregg Kreizman, research director at Gartner. 'Most U.S consumers want to continue managing their passwords the same ways they do now. They don't favor using software or hardware to help manage passwords, and user-centric identity frameworks such as OpenID and information card architectures face scarce consumer demand.'
As consumers and customers, we have to demand that our data be treated with better care; however, this also means that as custodians of our own data (or data about others) we should exercise better care in keeping that data safe. That means that using your dog's name as your password to your email account and your financial institution is not a good idea.

As a customer, I do want my financial institutions to provide me with me enhanced authentication mechanisms. Just don't give me any more of those fake "two-factor authentication" mechanisms based on cognitive passwords - those are really just several single factor authentication challenges, no matter how many questions you ask (what street where you born on, what is you dog's name, what is your hair color, etc).

Src: Gartner Press Release Says Consumers Are Unwilling to Sacrifice Convenience for Security, Despite Widespread Online Fraud | Gartner


Unknown said...

Customers are unwilling to give up convenience...and frankly they shouldn't have too. They are the customers after all. We, the engineers and developers and security professionals of the world should be designing a system that gives us the authentication we need without making life difficult on them.

We can harp on our users about how they should pick better passwords. We can tell them to use different passwords for different sites until we're blue in the face. It wont work. Marcus Ranum said it best; if user awareness program were going to work then they would have already worked. The only option is for us to improve the system. That's one reason I'm such a big fan of keyboard biometrics. It is very accurate and doesn't require the users to do anything differently....of course I'm really simplifying it here. It isn't perfect.

DrInfoSec said...

As far as I understand, biometric passwords are a viable option mainly in local environments. Over the internet, they would require deployment (BHOs?) and would still be vulnerable to the kind of keylogging trojans in use today.