Home > Cloud, IAG, IAM, Identity, Security, Strategy > Passwords must die – but how?

Passwords must die – but how?

It’s been a while since i had a chance to pick some time for my blog. I still have several topics to deal with in my pipeline, but as today is going to be a lazy sunday staying in my Hotel in Louisville, KY, i decided to take a shot on an burning hot topic thats been on top for a while: #PasswordsMustDie

As you might have seen in the news, on twitter or in various blogs, Evernote got hacked these days and it’s reported that usernames and passwords (no matter if they were crypted or not) where taken. I wonder how much of those passwords are used with other services as well, in the worst case they are used with the same email address. I think at least 60% of the taken password / email combinations are being used for other services as well as this is the most common mistake we all do: We reuse passwords. We shouldn’t reuse them, but as a matter of fact, we do. By doing so, we’re exposing ourselves to an enormous risk. But we do accept it.

What could be ways out of this misery?

  • Biometric Authentication
  • Token based authentication
  • Multi-Factor-Authentication

Let’s take a look at all of those.

Biometric Authentication

Some Laptops today do have a fingerprint reader that can be utilized to authenticate a user. My HP laptop issued from my employer does have one of those and i use it at least for the windows based authentication. The same laptop also offers a face recognition via the built-in webcam. I’ve never tried that feature since the webcam is not working properly. On the other hand, i do remember a presentation on an Laptop (i won’t name the vendor) that would allow to bypass the face recognition with a good photo print. Just looking at my brand new MacBook i’m currently using to type this article, there is no fingerprint reader, but it does have a webcam. Looking at other devices or computers in my family, there are also devices that do not have any of those. So on these devices there is no way to do biometric authentication without any additional hardware. So as long as not all devices by default do have a fingerprint reader, there is no way to roll-out biometric authentication to all the mainstream services.

Token based authentication

Token based authentication does require a service to issue a token to the user. But how’s the user identified by the service? The user has to give something to proof the identity. So this requires potentially a username and a password or other attributes to be communicated between user and service. Sure, there are SSO applications doing that in an enterprise infrastructure. But how about home users? What do they use to initiate a token based authentication? They could use for example other account from other services that do integrate with the service they want to use, like Google or Facebook. And how are the Google account or the Facebook account secured? Typically by a username and a password. Only a smaller number of people i know is using two factor authentication using their phone to authenticate with Google.

Multi-Factor Authentication

Using multi-factor authentication does require not only a password or a pin, it also requires at least one more factor to be authenticated with. This could be certificate, a security token being calculated by a device or an application, it could be also a biometric component such as fingerprints or an face recognition scan. As discussed earlier, fingerprints or face recognition are pretty much out of the game as not all the devices are support those features. Most of you do know the RSA tokens issued by our security departments or customers to use them for logging into the network or remote into the customers network. As these are bound to an network specific infrastructure component, this would result into a bunch of of tokens to have them with me all the time. And certificates? Not only one major certificate authority has been hacked in the past times.

So what’s the conclusion out of this?

As much as i agree that passwords must die, i don’t see any chance to make that happen pretty soon. It would require at least an standard for a mixture out of token based authentication and multi-factor authentication. But no hardware tokens please. How about a multi-plattform token application for smartphones? Oh, right,… what about non-smartphoners? You see, it’s long way to go and we just started it using first services offering alternative ways to authenticate like SSO with Google.

What could be done to make passwords more secure in the meantime?

  1. Use strong passwords (combination of lower case and uppercase letters, numbers and special characters)
  2. Don’t reuse passwords (i know, it’s not pretty convenient)
  3. services do need to enforce password policies and password change intervals
  4. if you’re using SSO with Google or Facebook, try to ensure that you’re passwords are ultra-strong and enforce yourself to change them from time to time

All of this is nothing new, but as the Evernote-case does remind us to reset our account data and authentication information, we do need to remind ourselves on how to deal with passwords in a safe way until they die.

Categories: Cloud, IAG, IAM, Identity, Security, Strategy
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: