Avoiding password recollection pitfalls
December 2, 2013

Despite all the advice about password security, many individuals fail to follow best practices when creating them. People reuse the same code across multiple accounts or create an easily guessed password like "123456." But the justification for this is simple: if users can't remember their password, they're more likely to reset it. Unless a website is willing to lock a member entirely out of his or her account, allowing users to create new login details considerably weakens the system. A hacker can readily discover what someone's email address is and, from there, the answers to authentication questions about a target's parents, school or similar information. 

Yet a forgotten password is an all too common problem. According to a recent survey from tech startup Lunabee, only 10 percent of people never forget their login details. Of the remaining 90 percent, not all had to reset their credentials, but that's only because they used other risky strategies to remember the information. Fifty-two percent of all respondents stated that they wrote down their account details. This leaves accounts less exposed to hacking attempts from outside the individual's location, but it can cause issues in an office or even home environment. 

As for password resets, 58 percent of respondents admitted to requesting the service after forgetting their login details. With that many people needing a new password, organizations can't just ignore the problem. Websites that require members to use complex passwords will likely run into this issue more often and create multiple vulnerability points. By contrast, allowing for simple entry information runs the risk of the details being guessed. But there are a few more secure options open to organizations. 

Avoiding the issue altogether
There are a few ways that companies can minimize the number of password resets they issue. One is with a "bring your own credentials" (BYOC) set-up. Part of the problem with password recollection is that many individuals only use their passwords a few times per year. This results in poor recollection rates and necessitates more reminders about what the password is, which can then be exploited. With a BYOC model, a website allows members to sign in using trusted, more frequently used credentials from another source. In many cases, this means authenticating users via their banking logins. Many consumers regularly engage with their banks and can recall their passwords with relative ease. The nature of the institutions means that they protect the data extensively, while most people know well enough to create a sufficiently complex code that isn't used across multiple websites. 

Reducing risk
Another answer to the problem is a multi-factor authentication model that relies on both a password and some other means of identification that isn't easily used by anyone except authorized users. Thus, even if a password is discovered, it won't do the hacker much good without the second means of identification. Smartphones are a good secondary component because most people have them on hand at all times. Thus, they can be used during the login process with little difficulty – a key factor, since the less convenient it is to access an account, the less likely members will want to use it. While this won't stop someone from resetting their details, it reduces the risk inherent to the process. 

But while the way organizations handle the problem may differ, the important thing is that it's dealt with. Passwords will remain an important part of security, so buffering them as much as possible without creating inconvenience should be critical to any company or institution handling sensitive user information.