No matter how problematic or even dangerous unauthorized access may be to an account, many users will still opt for the most simple security possible to enable them to perform their job functions or enjoy their personal lives. Passwords such as "password" or "123456" are far too common occurrences at all levels of organizations or among their users. People don't want to be locked out of a website or have to remember complicated authentication details.
Nuclear security little more than a string of zeroes
If there were ever any doubt about how easily guessed some passwords are, all anyone needs to do is look to the U.S. military. According to a paper published by Columbia University about Permissive Action Links (PALs) – the security devices that enable the use of nuclear weapons – the code to arm U.S. Minutemen missiles was no more complicated than "00000000." Rather than opt for greater protection should someone attempt to access the ICBMs without authorization, decision-makers chose to make the launch process as simple as possible. To ensure that no one forgot the password, the dials were also preset to "0" and the firing crew was instructed to check the locking panel to verify that the numbers were not tampered with, Naked Security recently highlighted.
This situation eventually changed, but 20 years passed before more robust code requirements were applied to the PALs.
Users want ease and immediacy with their accounts
In light of these circumstances, it's no wonder that most people are willing to apply the most easily broken security measures to their accounts. Despite all attempts to encourage users to create multiple-character, complicated credentials, many individuals will instead eliminate as many obstacles as possible between themselves and their accounts. If a service requires a long password with numerous special characters or numbers, there's a good chance the login holders will write the code down or store it in the browser for automatic access. Conversely, they might repeat the same password across many sites, some of which may have minimal encryption protocols protecting their members.
Naked Security noted that the factors surrounding nuclear launch security remain familiar sights today, as sticky notes with "123456" or similar information are still regularly applied to computer monitors or other areas where anyone can wander by and discover someone else's login credentials. The news sourced suggested that users and organizations apply more robust requirements to their passwords by using a minimum of 12 characters with a mix of letters, numbers and special characters. However, this suggestion is unlikely to take hold among many individuals. People have known that they should use more stringent protective measures for years now, yet best practices are rarely applied to credential creation. If given the choice, many people will guard even the most sensitive matters with authentication details no more complicated than a string of zeroes.
Going beyond the password
Because of this, organizations should look to more inherently strong security methods, without ever losing sight of the fact that their users want easy access to services. Multi-factor authentication can achieve this by associating an account with a specific device, such as a smartphone, or potentially another identifier, like a fingerprint or other biometric information. Whatever the secondary identifier is, it should be readily available to the user at all times, and relatively uncomplicated to use. This will encourage individuals to actually use a service, rather than avoiding it due to complications related to logging in.