⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

I'd like a room. No passwords, please.

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


March 01, 2013
Solution Provider Insights
Daniel Johnson

This year, if you attend any of the signature events made up of our hospitality technology-focused brethren such as the Hospitality Technology Expo in London, the International Hospitality Technology Forum in Lisbon or HITEC in Minneapolis, you’re sure to hear a considerable amount of talk about security and PCI-DSS compliance. This is, of course, nothing new. Whether it be the perennial favorite PCI boot camp (despite its somewhat ominously militaristic title) or perhaps “Securing Guest Information in a World with no Boundaries” (a title that suggests the possibility of a Neverland that is both utopian and nihilistic), the speeches and panel discussions will likely provide attendees of their respective conferences with a status report of our community’s war against the data breach. Many of the discussions will be supported by the latest facts and figures. For example, with the 2013 Data Breach Investigations Report (DBIR) due in March, we look forward to learning if we’ve been able to stem the damaging trends set in 2011 (i.e., 174 million compromised records). And with a report of as many as 855 incidents in 2011, we wonder if we will exceed that number to witness occurrences totaling in the thousands.

Year in and year out, research studies show us how breaches occur. This year, we don’t expect too many surprises. Just as in the past, it’s likely that most breaches utilize some form of hacking. The DBIR 2012 indicated that hacking is “… linked to almost all compromised records. This makes sense, as these threat actions remain the favored tools of external agents, who, as described above, were behind most breaches. Many attacks continue to thwart or circumvent authentication by combining stolen or guessed credentials (to gain access) with backdoors (to retain access).”  In 2011, hacking was involved in 89 percent of incidents. While sources at Trustwave have indicated that the hospitality industry has marginally improved its ability to protect itself (now slightly less than 38 percent of all incidents), hackers continue to maneuver around firewalls. They “thwart or circumvent authentication” by stealing or guessing our beloved passwords.

Verizon Business maintains that hackers are “scanning the Internet for easily guessable passwords.” Therefore, Verizon places a high premium on the appropriate management of administrative passwords. Actually, password management is at the very top of their list of security tips. Why? It’s because hacking is made simple because of the simplicity of our passwords.

Have you heard that Qizmodo released its list of the 25 Most Popular Passwords for 2012? It was compiled by SplashData who gathered the data from millions of stolen passwords posted online by hackers. In the top spot, unchanged from last year, was the password “password.” It was trailed in the No. 2 spot by the password “123456”, also maintaining its position from last year’s study. Curiously, the password “monkey” has maintained its spot at No. 6 for the second straight year.

Fortunately, there is what sounds like good news for the hospitality industry. In a January 18 article, Wired magazine reported that tech giant Google is targeting the use of passwords. The company is imagining a way to access accounts (i.e., your Gmail account) and log in to applications by simply tapping your computer with your ring finger. Google’s security team discussed this new authentication method in the January/February 2013 edition of IEEE Security & Privacy magazine. In the article, “Authentication at Scale,” Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline multiple techniques for logging into applications. In other words, they’re experimenting with new ways to replace the password, including a Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a user in.

Consider, the hotel of the future. Allow yourself to dream of a magical place where the entire IT infrastructure protects our precious data during a stay. The hotelier will have implemented the latest in firewall technology and undoubtedly trained its entire staff on the importance of privacy, security and PCI compliance. Anything less would be naïve and reckless. However, just imagine how soundly we’d all sleep (or web-surf) knowing that the PMS and POS administrators aren’t using “abc123” (No. 4 of Qizmodo’s Top 25 for 2012) or “letmein” (No. 7) as their passwords. They won’t be using those passwords because no one at the property will be using any passwords. That will be because in 2013 innovators declared war on passwords. Now there’s an advertising pitch waiting to happen: Vacation Paradise Package Awaits You! Pristine Beaches, Uber-fast Wi-Fi and No Passwords.

Daniel Johnson provides strategic thinking and innovative solutions as the chief operations officer of the Venza Group.

©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.