The password is dead, long live the password?

There have been many reports of the death of the password.

However the password remains the most common authentication method by far.  Indeed, many apparently forward looking organisations still rely on them for their staff and customers security.

Given the multitude of well published breaches caused by password hacks, and the number of stolen password databases it would seem like a no brainer for organisations to move to more secure authentication methods.

Indeed, as this article from a couple of years ago demonstrates clearly passwords are not very hard to crack;

Even if you think your password is especially complex..

Interestingly it seems many ‘free’ services such as Yahoo and Gmail are actually leading the way and trialling more secure solutions even if they are not as slick as they potentially could be.  So we have a situation where your free service offers you more secure authentication than many of the paid services you or your organisation may use.

If you have services that only offer passwords as an authentication, or if you as an organisation still only offer this, then please adhere to 3 simple pieces of advice.  And please make the effort to educate your colleagues and customers!

  1. Have the passphrase mindset, not password.  Length beats complexity so use long, but easy for you to remember passphrases.
  2. Use a variety of passphrases for different sites, so if one is compromised your other accounts are not
  3. Change them reasonably frequently, say every 90 days.
  4. Oh and as a bonus, don’t ever share them!

So while everyone seems to agree passwords are pretty poor from a security perspective, very few organisations are really working to move away from them in the near term.

Why is this?  The reasons I can think of are;

  • They are free and easy
  • Everyone sort of understands them
    • I say sort of because we know what they are but provably fail to create ones that are difficult to crack, we re-use them extensively etc.
  • While the broader public read about how bad they are, they still don’t really push for something better.
    • Or they just accept them as most companies don’t offer anything better so what choice do they have?
  • More secure solutions involve change
    • People and organisations are often scared of change
    • What will our customers think?
    • Will it be difficult?
  • More secure solutions will involve cost
    • Implementation
    • Licenses
    • Support / management

However I think now really is the time to start moving on this.

Ask yourself;

  • Does your organisation want to be in the news as the next one suffering a breach relating to passwords, whether cracked, social engineered or stolen?
  • Do you want to lag behind competitors and ‘free’ services as they start offering more secure authentication solutions?

In terms of offering more advanced and secure authentication solutions, there are many potential benefits to your organisation and its customers including;

  • Differentiation (for a time)
    • Get ahead of your competitors, be seen as a technical and security leader by offering very public security enhancements.
    • This will also help your reputation as an organisation that takes security seriously.
  • Less hacked / breached accounts
  • Improved security for you and your customers
    • Better security for your customers = better security for you.
    • It is also extremely likely that what ever solution you implement can be rolled our to employees as well as customers.
  • Improved analytics and understanding of your customer environment
    • Most authentication solutions are able to collect a lot of data around both the behaviour of users, and their environment (browser and device information).
    • This is especially true of those that support risk based authentication.
    • If your organisation collects data into a big data platform, then this data can further enrich that, enabling greater analysis of user behaviour, what good / bad looks like etc. (more on this in a later post).
  • Better customer experience
    • Risk and policy based authentication enables decisions to be made based on things like the users historical behaviour, device knowledge, and the action within the application they are performing.
    • This means that for lower risk, known activities from known devices the users interaction with the system may be entirely friction free for them.  ‘Step-up’ authentication can be applied when they step outside of normal behaviour, or want to perform higher risk / administrative type activities.
  • Staying ahead of regulatory requirements
    • Increasingly regulators are starting to require ‘strong authentication’ for customer interactions with an organisations systems.  This is especially true in areas such as banking and payments.
    • Implementing solutions now will save you a rush to meet regulatory requirements in the near future.

I hope from the above that my position on this is clear.. It is time to move away from relying on passwords, and there are huge benefits from doing so.

It would be great to hear from you and to get an idea of how many organisations are genuinely planning to implement more secure and innovative authentication solutions vs. those who frankly have their heads in the sand.




Using passwords for authentication

Recently when researching form my Masters project I came across some studies about users and password use.  I think we now know that passwords should be dead and replaced / augmented by something better such as two factor authentication using token or biometrics.  However many systems still rely on usernames and passwords.

In terms of business, in order to improve security many companies now add two-factor authentication when logging in remotely so the user enters their username, some sort of pin or password and a value from a hardware or software token.  This helps with the issues around passwords when remotely logging into systems such as when working from home, it does nothing to improve the security of logging in with just a username / password in the office.

The traditional assumption has been that it is OK to use just username / password when logging in from a more secure location such as the office when you are already connected to the trusted network.  Assuming your business uses modern operating systems that employ salted hashes for any password storage or transmission the issue it not with someone malicious managing to ‘sniff’ the password while it is in transit, or getting hold of the password store.  However what of the users who use the same password for multiple systems?  If your users log into insecure web sites using the same or very similar passwords to those they use to log into the secure business systems?

Studies have shown that nearly all users re-use passwords.

In addition users will tend to use the least complex, easiest to remember password possible – so while your businesses chosen level of complexity may have a password space of xxxxx passwords, the users passwords may actually tend to occupy a much smaller space, or be easy to guess despite meeting the password complexity requirements.

People will also tend to write down passwords that are too difficult to remember easily.

So I’d strongly recommend moving away from just relying on passwords and utilize some form of multi-factor authentication even within the office environment.  This is not as difficult as it may sound – most (all?) modern operating systems support multi-factor authentication out of the box.

If you cannot move away from just relying on passwords then a use education program is a must.  A good password is not just a complex one, it must combine complexity and being difficult to crack with also being easy to remember for the user.  If users can understand both the password policy and the rational for that, along with ways to come up with strong passwords that are easy for them to remember this will lead to a more secure environment.

Interestingly, we again come around to user education and training being a key component of a defense in depth security strategy.