Passwords aren't dead, though maybe yours should be

Despite all those "death to passwords" chants, some say it's still a solid form of authentication -- when users aren't being stupid about theirs.

It's 2012. The password is dead. Long live the password.

Perhaps the division in the IT world is not quite that stark, but there is indeed division. Some think it is past time to retire passwords, for what they say is the obvious reason: They don't protect users, since they are so easily hacked. All the talk about making passwords more secure is ignoring the elephant in the room they simply cannot be made secure. Besides, there are other, better, authentication options, like biometrics, since nobody has your fingerprints, eyes and DNA.

But others say not so fast that biometrics are not duplicate proof, and that passwords would still be fairly effective if users didn't make them so easy to hack and if password authentication systems were improved.

Christopher Frenz, CTO at See-Thru and a faculty member at Mercy College, both in New York, says the problem is, "not because of passwords being obsolete, but because of the prevalence of bad passwords and bad password practices."

He points to the 2009 SQL injection attack on the social media site RockYou that compromised 32 million user account passwords. "The only password security requirement was a password of at least five characters," he says, "(which) resulted in people choosing passwords such as 12345, Password, rockyou, and abc123," plus common dictionary words.

Besides that, the passwords were stored in plain text format, along with users' email addresses.

Frenz says some websites (Hotmail recently among them) now require more complex passwords with multiple character types.

He admits that high-quality passwords are difficult for users to remember, especially if users (as they should) have different ones for possibly dozens of sites. But he believes a way to resolve that is to lengthen the space for passwords, and encourage the use of phrases instead of a short but random collection of letters and numbers.

That, he says, offers, "the potential to provide a high level of security with the added benefit of being much easier for users to remember."

Owain Rees, information security officer for BBC-TV in the UK, agrees. "The only way to make a password more effective is to make it longer. In most cases a very long simple password is more difficult to break than a smaller complex password," he says. But even that is not close to enough, says Matthew Walker, manager at ShieldPass in Singapore.

"The current trend among IT administrators is to insist that users increase the complexity of their passwords and change them at regular intervals," he says. "This makes managing online passwords a living hell; and yet it makes not one bit of difference to the malware that commonly intercepts and copies them."

It is pointless, he notes, to require complex passwords, but then provide a "forgot your password?" link that sends a temporary password to an email address that likely has a weak password.

Nor is the OTP (one-time password) effective any more. "They are equally vulnerable to man-in-the-middle attacks or, more specifically, man-in-the-browser attacks, such as Spyeye and Zeus that inject code into the user's browser," Walker says.

Since most identity theft occurs en masse, to the entire user base of a site that has its database hacked, Walker says the burden ought to be more on system administrators to enhance security of passwords.

"For example, authentication sessions could be managed with timed lockouts, IP addresses could be tracked and more advanced password complexity analysis at the time of creation would actually improve security for the end user," he says.

Part of the problem, according to Rees, is that users may expect more of passwords than they can deliver. "They should be part of a layered security defense," he says.

Rees likens the password to a lock on a car. "It doesn't mean the opportunist can't just smash a window and get in, but it creates an obstacle," he says.

Beyond that, just as a car should also have an alarm and an immobilizer, computer security should include other elements like IDS, firewalls and encryption of data.

All three security experts agree that "three-factor authentication," which includes biometrics, will not improve security, and could even make it worse.

"It creates complications that will confuse the lay person," Rees says.

Not to mention that a thumbprint is not something you can change if it is compromised. "A password you leave a copy of everywhere you go and cannot change is no password at all," says Walker who, not surprisingly, suggests his own invention, the PassWindow authentication as significant leap in security.

It is a wallet-sized plastic card that "opens a small, but fully secure window from the server to the user's eyes." That window "passively displays the encoded transaction details and associated OTP directly to the user for verification and entry."

If there is a solution, the experts say it lies in simplicity, not complexity. And that simplicity has to come from the systems themselves.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline