Monday, October 5, 2015

Editorial: The password needs to go


The password, the chief means of securing access to our most valuable data, has become almost completely useless, no longer even presenting a speed bump for hackers and mischief makers.

There are a myriad of problems with the password in the modern computing context. We are no longer signing onto a single mainframe. We have multiple applications in use across various platforms. That means we are forced to remember far too many passwords. This causes people to use silly ones like 1234 or the same password across multiple sites, not even attempting to be secure.

Think about the last time you got a new device and wanted to sign onto Facebook or other favorite online service. If you’re like me, and use different passwords across sites, you probably forgot yours. You could do what I always do and click Forgot Password, but that would mean changing the password across all devices. It’s a horrible system.

I face this problem quite often and I’m sure I’m not the only one. We clearly need a better way.


Too Many Passwords

The static password sitting in a database, is perhaps the dumbest idea anyone ever came up with for security. As soon as a resourceful (or even not terribly bright) hacker finds his or her way into the database, as we’ve learned time and time again, the passwords are sitting there for the taking, a giant treasure chest, a hacker’s wet dream.

A 2012 poll found that 41 percent of people memorize their passwords, while 29 percent write them down and 9 percent store them on a file on their computers. None of these are ideal options.

Another 2012 survey found that the average person had 17 personal passwords and 8.5 work passwords. Chances are those numbers have only increased since that time. If you truly do use multiple passwords, then trying to remember more than 25 passwords is a daunting task.

There are businesses like Ping Identity and Okta that try to simplify this with single sign-on with various degrees of success. That works for the business side, but doesn’t really help consumers.

We can use password managers to help us remember, but of course, the password manager is protected by — you guessed it — a single password. That means if someone hacks the password manager, they get access to *all* your passwords. This actually happened to LastPass earlier this year.

However many passwords you have or however careful you are, chances are at least some of them have been scooped up in the many infamous hacks over the last two years.

The Consequences of Inaction

We’ve seen this story repeated ad infinitum. The breaches are etched on the Internet Wall of Shame. From Target to Sony to Anthem to the US Office of Personnel Management (OPM), we have seen this type of massive breach happen repeatedly. And with each incident, more passwords are thrust upon the hacking blackmarket.

Not all these incidents are due to faulty passwords of course, but it’s not terribly hard for a hacker to guess their way in or use malware to steal one, even without getting a treasure trove from a mega hack. And once they’re in the system, they have more sophisticated ways to begin to rob the various data stores.

Part of the problem according to Steve Herrod, who is managing director at General Catalyst, a firm that funds many security firms including Ping Identity, Menlo Security and ThreatStream, is that companies simply don’t have a good grip on the data in their databases.

“Someone at the top level has to start doing data inventorying. Here are the database things I own. How bad would it be to hear that this was breached,” Herrod asked. Once you know what you have, you are going to be able to do a better job of protecting the company’s crown jewels. The problem is that the protective systems aren’t always being aimed at the highest priority data, he said.

Take The Burden Off The Users

Here’s the thing. The burden shouldn’t be on us, the users. It’s really up to the smart people who own the internet companies to start thinking about how to simplify security, to make it easier and more accessible for users, while making it hard for the bad guys to steal credentials. This would be a much better use of their time than trying to figure out how to serve us better ads — just saying.

Too often the systems in place put the responsibility on the user and make life miserable for consumers or employees. When you have to replace your password every 30 days, and not repeat any information you’ve used in the past, use upper and lower case letters, at least two numbers and a symbol; that’s a huge effort for the user. It forces people to remember unnatural passwords and it leads them to use insecure methods like writing them on sticky notes and pasting them to their monitors, or perhaps even in something just as obvious like a Password Logbook.

The key is to find a way to secure our personal information without putting undue hardship on the user, while making it difficult — ideally impossible — to steal. That would require automated ever-changing passwords or perhaps something like a fingerprint or eye scan. It’s worth noting that I always have my finger and my eye with me. I can’t forget them and you don’t have store the scan in a database. It can interact at the system level and never be accessed by anyone (except for some creepy scenarios I would rather not consider). The equipment for an eyescan, a camera, is already in place on most devices. Many others are equipped with finger print scanners.

Nothing is foolproof of course, but there has to be a better way than what we do now. The password is ineffective and it puts the onus entirely on the user, which is exactly opposite of how the system should be working. Even when you are good about passwords — and I don’t think most people are, if we are being honest — it doesn’t matter once the database has been breached. You can have the best damn password on the planet, and once somebody steals it, they have it.

I therefore implore all you smart engineers and security geeks to gather your collective intelligence and use all of that brainpower to find a better way. There simply must be a better way.

No comments:

Post a Comment