Are we seeing the death of the password?

Last updated: 21 March 2014

Joey Muniz (The Security Blogger) wrote recently about how it is becoming increasingly straightforward for potential hackers to find out your passwords, due to the predictable nature of way people select a password.

This useful cartoon from xkcd shows how easy it can be to obtain passwords, also suggesting a simple way in which to boost your security.

Password Strength by

I absolutely agree with Joey’s statement that you need two-factor authentication in order to safeguard your data in today’s world. Usernames and passwords are free, but you get what you pay for – and effective security is not usually free.

The challenge lies in the fact that most companies are afraid of the cost and difficulty of rolling out a more secure authentication solution. But in reality the real question should be ‘what is the cost of not moving to strong authentication?’

McAfee recently revealed that 72 different organizations around the world have been victims of cyber-spying. With attacks likely to increase, it is important to note that strengthening your access controls ensures that you have a higher level of security for all those who are attempting to access the network.

Microsoft has made some progress in helping support strong authentication by incorporating the support of smart cards into both Windows 7 and Server 2008, and there are easy downloads to upgrade earlier versions. But one of the most important things that companies need to consider is risk-appropriate authentication levels. This simply means making sure you have the right level of security for your organizational level. By implementing risk-appropriate authentication for users who do not need access to sensitive information (remote sales persons, contractors) a company could use OTP authentication that is stronger than username and password, but only provides access.

For users who have greater access privileges and depend on communication or the transfer of confidential information (legal, executives or board members) companies should think about migrating to certificate-based or PKI authentication. With Microsoft’s support, this type of authentication comes with additional benefits like email encryption and digital signature. Once enabled, it is as easy as clicking a button in Outlook to send an encrypted email to another person within the same trust framework. The process is equally as simple for digitally signing a document or Excel spreadsheet.

Companies need to take a hard look at who has access to what and must move the higher level users to a stronger form of authentication. To do anything less would be irresponsible.

6 thoughts on “Are we seeing the death of the password?

  1. Thanks for the pingback. The cartoon is pretty funny but true. Mathematically some password policies may seem strong however once you throw in the human element aka predicting human behavior, the likelihood of prediction dramatically increases. One good book that touches this subject is “The Art Of Speed Reading People” by Paul D. Tieger and Barbara Barron -Tieger. I’ve used the theory of what common numbers people choose when asked “pick a number 1-10” for many events such as winning the coin toss for kickoff prior to a futbal match or getting out of cleaning the dishes. Its almost unfair once you know the probability for common decisions.

    1. Joey,

      Thanks for the comment. The human factor is one of the most interesting aspects of security to me. While you can implement policies to try and keep people from using common information, we have seen that a typical password will fall into some very specific and predictable patterns. This is why I have advocated the use of at least a second factor of authentication. By adding an additional physical factor like a smart card or smart phone take the choice out of the hands of the user and forces a stronger security protocol. This type of technology has been around for a long time, but I think it is imperative that this becomes a standard not an exception in security practices… especially in the enterprise.

    1. There are a lot of companies that have implemented this type of technology. In fact, we just announced today that Swedbank (one of the largest bank in the Northern Europe) has implanted this type of security internally and last week we announced that ING has used a similar technology for customers to access their online accounts. While it will take some time, I believe there is more interest than ever before in securing online identity and making the digital world a safer place to hang out. There was some talk of social media sites like Facebook offering a stronger form of authentication, but I think this will be down the road when other more critical aspects of a person’s digital life are already secure. The two things that immediately come to mind are online banking and online access to corporate networks. These areas have some of the most sensitive transactional information and need to be secured, but the push will have to be from IT security professionals in the enterprise and consumers who access their accounts online. Until these groups demand this level of protection my fear is that adoption will continue to grow at a modest pace.

  2. Ray, what do you think about the Federal ID Smart Card as a 3 factor authentication?

    Or, the newly proposed Narional Strategy for Trusted Identities in Cyberspace?

    What are the vulnerabilities of these?

  3. I work on the Gemalto blog team, and this comment was submitted by Michael David Lay when we posted this article on LinkedIn:

    Sure, who isn’t frustrated with the number of passwords they have to keep track of. I am even more frustrated by the variation in complexity rules, so I have roughly three passwords I use, one for Systems Access and Control, one for Finance and one for Junk Sites that I need access to, newsgroups, even some social networking stuff. My passwords are good, complex, aside from brute force attacks would be difficult to guess but some sites let you use punctuation others don’t, or the number of characters varies or whatever the condition I inevitably end up not being able to use my group of passwords globally, and have to come up with something I will never remember for some site I access twice a year.

    On the other hand, the password issue has spawned a whole new industry for the IT worker. The SSO industry or Single Sign On. The variations in the breed of software, in where and how you can apply it. It is also generally expensive making it completely impractical for all but the high end corporate market, and from an employment point of view the software a given company is looking for is usually not what you have used which does seem to matter to hiring managers, though realistically understanding the issues in SSO goes a long way in being able to implement it regardless of brand.

    There are also password memory functions in web browsers that will remember passwords to websites. The problem here is that it is usually browser/computer specific so whatever computer you set the password on is the only one which will retain it, and secondly I am not convinced how secure this is, so I tend to use it only for lower security access points like on-line knowledge bases, links to documentation, even containers for computer information in the event you need to upgrade or track down drivers. There are some companies like Google Chrome that are allowing you to login and sync your browsers regardless of computer…I love Google Chrome, no matter where I am I can log in and have access to my links, my passwords, my form information, etc.

    Finally there is the biometric solution, which I am not really sure is a solution to this particular problem. I think of it more as a convenience for logging into a specific appliance or machine. Essentially the same thing as a password, just a different way to enter it.

    I don’t see a solution to the problem. I think a standard as to acceptable password complexity would be a good start. Ultimately a SSO solution that relies on a database which is universally accessible, something you would log in to and it would hold every password you might need. That is a long way off though, and for more then a few reasons. There is of course the necessity for a profit model, not many people would want to pay for this, so either OS companies build in access or we go to an advertising revenue model. Secondly, there will certainly be a lot of paranoia about turning over control and access to your authentication strategies to a third party. Finally, you would need a company with the clout and financial resources to launch this sort of endeavor. The technology is already there and is being used on a small scale on individual user machines, and it has had some success but not the giddy screams of glee to excite bigger players into the market.

    For the time being it is what it is, if someone has another suggestion I would personally love to hear it.

    Michael David Lay

Leave a Reply

Your email address will not be published. Required fields are marked *