Passwords are better off dead

Cormac Herley, a principal researcher at Microsoft Research, says passwords aren't dead but they need fixing.

I think passwords are better off dead. Hell, even Bill Gates called for the death of passwords, and that was six years ago.

My Network World colleague Tim Greene

wrote about Herley's thoughts recently and this is some of what he said:

While many call for replacing passwords altogether with something else, they may be doing so based on little or no hard evidence, says Cormac Herley, a principal researcher at Microsoft Research.

Keystroke logging, brute force attacks, phishing and session hijacking are all used to get around passwords, but it would be impossible to draw a pie chart of how much each method was used because nobody knows, he says in a paper on the subject. "We don't know the slice sizes not even approximately," he says.

In addition to finding out, he recommends other steps that could make password use more effective:

* Quantify harm that password compromise causes and differentiate between the worst case and the average case.

* Offer better user support for passwords so password use is more secure.

* Identify when passwords are not enough -- and why -- so appropriate alternatives can be developed.

* Devise a method for evaluating alternatives objectively.

Herley's premise is that passwords are so entrenched and are useful in so many ways that they're not going away anytime soon. After all, if they were totally ineffective, nobody would use them.

"While the research community is unable to quantify harm, individual companies presumably have estimates of their losses from ongoing threats," Herley says in the paper "A Research Agenda Acknowledging the Persistence of Passwords," coauthored by Paul C. van Oorschot, a professor of computer science at Carleton University. "Their actions currently reveal a preference for password-related losses as opposed to the uncertainty of alternatives."

Passwords have a lot of upsides -- they're free, allow access from any machine with a browser, revoking them is simple and it's easy for users who forget them to reset them - that make it hard to dump them altogether.

These are all fair points. Completely replacing passwords would be extremely difficult, and his argument that you can't beat something that's free and easy has merit.

But reading this reminded me of a keynote Gates gave at RSA in 2006. So I dug up
the article I wrote about it at the time, when I was at SearchSecurity. In it, I quoted Gates as saying:

"Passwords are the weak link. We need to move in the direction of smart cards, and multi-factor authentication must be built into the system itself. We need the ability to track what goes on and have a built-in recovery system."

While the vision sounded good on paper, some attendees were skeptical at the time.

Microsoft has acknowledged the need to move beyond passwords before, said Ken Russ, a security infrastructure specialist. But the company's last attempt at authentication technology, the Passport single sign-on service, was unsuccessful.

"They had to abandon their previous attempt, and establishing trust between multiple companies is a difficult task," Russ said. "I don't know if any one company--including Microsoft--is up to the task."

Herley's comments suggest Microsoft still isn't up to the task, and that the company is admitting it. That's admirable.

But I'm not ready to abandon the future Gates described so long ago.

Like everyone else, I have to manage dozens of passwords for everything from online banking and accessing my blogging platforms to accessing Twitter, Facebook and Amazon.com.

I've worked hard to keep the passwords complex and not repeat them for different sites. But I have to admit to getting mixed up on which passwords go where and losing a lot of them. Maybe that's good, because it forces me to reset my passwords almost every time I go to a site. But it's not good for on-the-job efficiency.

I can't help but think that there has to be a better way.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies