Let’s say goodbye to passwords

For decades we’ve been using passwords to protect computers and for decades they’ve only somewhat worked. For example, within critical infrastructure I’ve seen cases where there is a well-known, default password for many devices. In some cases that password is even written on the device and in other cases engineers share a single user account and password thus associating no accountability with system changes. In the world of critical infrastructure where availability is the priority, while I don’t agree, I understand the philosophy that drove this mindset resulting in simple, default passwords remaining fixed for thirty plus years in some cases.

[The 25 worst passwords of 2013: “password” gets dethroned]

As an industry, we’ve conducted security awareness training for users on choosing strong passwords and pass phrases, frequently changing passwords, not sharing passwords, not reusing passwords and not writing passwords down. And we’ve conducted security awareness training for companies about not storing passwords in clear text, how to write secure code around access control systems to avoid simple attacks like SQL Injection, and how to take advantage of more robust solutions leveraging multi-factor authentication, tokens, and the like.

But we keep getting it wrong and new solutions are turned on daily with simple username and password requirements. Passwords are often stolen in the clear. Users still use the same passwords across multiple devices. And one password across multiple services such as banking, retail, email, social media and corporate assets are the norm. With the popularity of smaller, mobile devices, general password practices are too clumsy so the passwords become even shorter and more simplified.

Failures

I honesty feel that passwords are a failed human experiment. Even if strong passwords were enough, many people are not willing to follow the best practices needed to even make them slightly more secure. There are some password management tools that work well, sync across multiple devices, and allow for extremely complex passwords to be automatically populated on websites. But if ultimately the passwords on the server side are stored in the clear, or an attacker that has the encrypted password file has sufficient processing power — even elastic computing power via cloud services — then even those strong passwords become irrelevant.

Solutions

Many of the security executives I’ve met with are “trying” to move to a multi-factor authentication, onetime password solutions that take advantage of smartphones. This is a huge issue for them because the amount of time and resources spent addressing password issues is exploding with most users now having four or five devices that need access to organizational resources instead of one or two.

For these security executives, the solution to this problem is the smartphone.  

• Virtually everyone has a smartphone
• Most people are never far from their smartphone and it’s always on
• Smartphones can take advantage of biometrics
• Smartphones can use GPS as part of the authentication requirements
• Smartphones can use multi-factor authentication with sounds, images, text messaged codes and the like

Moving away from passwords is never as simple as rip and replace. There is pushback to any change, or it wouldn’t be real change. Moving away from passwords is no different. And there are legitimate concerns. For example:

• Passwords are simple and anything beyond a password has a chance of being more complicated
• Other solutions can cost the user or organization more
• People will need to be taught how to use a new solution; that takes time and you don’t want to lose sales for example in the process
• Passwords are universally accepted, there is nothing else universally accepted that stands out as a clear, simple, cheap alternative offering enhanced security
• When biometrics are part of the equation, for many people the fear of getting a digital fingerprint stolen for example is “sketchier” than changing a password

Change

With the high rate of cybercrime, changes can’t come soon enough. All the investment in robust incident prevention, detection, response, threat intelligence, asset management, identity solutions and the like are weakened by the use of traditional passwords.

[Petition calls for an end to passwords]

Hopefully, very soon, using passwords will be as archaic as calling a theater to find out movie times, having a pocket full of change for the payphone, buying an encyclopedia set or walking into a bank more than once a quarter.

I’m curious to understand what position you take on passwords. What’s working; what’s not? And what are some of the success cases you’ve had either personally or organizationally when adopting more robust solutions? Feel free to answer in the comments section below.