Last week, security researcher Mark Burnett published 10 million passwords in the hopes of furthering the research of making authentication more secure to protect against fraud and unauthorized access. You can read the details of how he did so here, but his intentions have merit when you think about recent big breaches such as Sony, Anthem and JP Morgan. We are at crossroads when it comes to the security of passwords, and it may be time for organizations to consider an upgrade to ensure personal and business critical information is as secure as possible.
The New Standard
The username and password combination has long been the standard for authenticating to computer and web-based systems and networks. But systems that are based solely on passwords are inherently not secure. Modern systems should rely on two-factor authentication, tokens or biometrics, however many of today’s systems authenticate solely on text based passwords which are easy to remember, but also easy to crack and are vulnerable to various dictionary based attacks.
Many organizations are exploring more secure ways to enforce authentication beyond usernames and passwords such as:
- Multi-factor Authentication – two-factor or multi-factor authentication identifies users by means of the combination of two or more different components typically expressed as something you know (your password), something you have (smartphone or hard token), or something you are (think biometrics).
- Graphic Passwords – graphical passwords work by having the user select from images, in a specific order, presented in a GUI.
- Virtual Tokens – pre-recorded information typically carried on a smartphone. For example, Clef, a new application, logs users in by displaying a temporarily generated, unique image on the phone screen. The user can then simply hold the image up to the computer’s webcam to authenticate.
- Next-generation Biometrics – with the increased adoption of wearable technology, companies and researchers are experimenting with truly novel approaches to identifying us. For example, the Nymi wristband measures your pulse and uses the unique rhythm of your hear to unlock your devices and accounts. Other possibilities include facial recognition using your webcam, typing speed and key strike rhythm on your keyboard, and measures of your gait.
No matter the technology, to replace the username and password duo, the next-generation authentication mechanism will need to be simple and cheap and reasonably understood and trusted by those using it. In addition, new authentication methods must be easy to administer and integrate seamlessly with a wide array of authentication and single sign-on protocols such as OpenID, Kerberos, TACACS+, and SAML. I’m hopeful that Burnett will find some useful data as part of his ongoing research that will signal a change. Because until a better technology is developed and becomes widely accepted, security professionals will be left with few options for stopping today’s cyber criminals, especially once an initial foothold is established within our networks.