Over the last 20 years I’ve noted the recurrent outcry: “We need to get rid of passwords!” or “Passwords are dead!”
If such is the case, we are experiencing a zombie apocalypse of undead passwords because as far as I can tell they haven’t gone anywhere. In fact, they are multiplying in line with the exponential increase of things to which we want access.
Bad Password Habits
Between work and home, we accumulate more passwords than we can keep track of and develop bad habits trying to manage them.
One crowd goes the “simplicity is best” route and uses America’s most popular password, which is, of course … password. Qwerty and 123456 are in the top five every year, as well. At this point, there is at least one person reading this who has a red face and refuses direct eye contact.
Using too-simple passwords is like driving without a seat belt. Great if nothing goes wrong. And using the same password across multiple systems is like wearing no seatbelt and texting while driving. In this scenario, it would be better if you lived in Wyoming, rather than Boston. But we in the insurance world live in the metaphorical equivalent of Boston.
Those at the other end of the password management spectrum believe that strong passwords or pass phrases are the key. They insist that a password should be long and complex and impossible to remember. Unfortunately, this means writing it down — hopefully not pasted on the monitor. Strong passwords are a solid digital survival technique, but too much complexity in password creation or in process can reduce their security value by inviting workarounds.
Shared IDs & Passwords?
Some insurance firms share passwords and create group IDs to make things easier, but the practice compounds negative outcomes. If a breach occurs, it’s impossible to attribute actions to a single individual, and consequently no individual involved can be proven innocent. These bad habits significantly reduce the value of security monitoring in an enterprise, right when you need clarity the most.
When you share your password, you are breaking trust with those who gave it to you. On a business system that might have legal implications. Certainly, from an agency contract perspective, it’s a bad position to be in when discovered, especially in a security breach scenario.
Chances are that no matter what practices you follow, multiple websites you use regularly have already been compromised, and your usernames and passwords are already for sale on the dark web. My personal information has been lost in numerous breaches, and I must react to that, not simply throw up my hands.
SignOn Once Simplifies the Verified Identity
Passwords are just a single component in establishing a verified identity for insurance transactions. Unfortunately, in most cases, some form of password will be necessary to gain the access we want.
The goal is to reduce the frequency and the complexity of what we need to do to establish our identity while increasing our security. For the independent agency channel, SignOn Once by ID Federation is the solution. Experts from agencies, carriers and solution providers volunteered their time and expertise to develop SignOn Once, and they continue to volunteer their time to the nonprofit ID Federation on behalf of the industry.
In upcoming blogs, I’ll discuss single sign-on, system-to-system federation, and the importance of the ID Federation Trust Framework.
Kevin Baker is information security leader of Westfield Insurance, Westfield Center, Ohio.
Westfield is committed to offering its agencies SignOn Once by ID Federation. Are your carriers?
Here’s an easy, automated email you can use to tell your carriers that your agency needs SignOn Once.
