The password is dead, long live the password?

There have been many reports of the death of the password.

However the password remains the most common authentication method by far.  Indeed, many apparently forward looking organisations still rely on them for their staff and customers security.

Given the multitude of well published breaches caused by password hacks, and the number of stolen password databases it would seem like a no brainer for organisations to move to more secure authentication methods.

Indeed, as this article from a couple of years ago demonstrates clearly passwords are not very hard to crack;

Even if you think your password is especially complex..

Interestingly it seems many ‘free’ services such as Yahoo and Gmail are actually leading the way and trialling more secure solutions even if they are not as slick as they potentially could be.  So we have a situation where your free service offers you more secure authentication than many of the paid services you or your organisation may use.

If you have services that only offer passwords as an authentication, or if you as an organisation still only offer this, then please adhere to 3 simple pieces of advice.  And please make the effort to educate your colleagues and customers!

  1. Have the passphrase mindset, not password.  Length beats complexity so use long, but easy for you to remember passphrases.
  2. Use a variety of passphrases for different sites, so if one is compromised your other accounts are not
  3. Change them reasonably frequently, say every 90 days.
  4. Oh and as a bonus, don’t ever share them!

So while everyone seems to agree passwords are pretty poor from a security perspective, very few organisations are really working to move away from them in the near term.

Why is this?  The reasons I can think of are;

  • They are free and easy
  • Everyone sort of understands them
    • I say sort of because we know what they are but provably fail to create ones that are difficult to crack, we re-use them extensively etc.
  • While the broader public read about how bad they are, they still don’t really push for something better.
    • Or they just accept them as most companies don’t offer anything better so what choice do they have?
  • More secure solutions involve change
    • People and organisations are often scared of change
    • What will our customers think?
    • Will it be difficult?
  • More secure solutions will involve cost
    • Implementation
    • Licenses
    • Support / management

However I think now really is the time to start moving on this.

Ask yourself;

  • Does your organisation want to be in the news as the next one suffering a breach relating to passwords, whether cracked, social engineered or stolen?
  • Do you want to lag behind competitors and ‘free’ services as they start offering more secure authentication solutions?

In terms of offering more advanced and secure authentication solutions, there are many potential benefits to your organisation and its customers including;

  • Differentiation (for a time)
    • Get ahead of your competitors, be seen as a technical and security leader by offering very public security enhancements.
    • This will also help your reputation as an organisation that takes security seriously.
  • Less hacked / breached accounts
  • Improved security for you and your customers
    • Better security for your customers = better security for you.
    • It is also extremely likely that what ever solution you implement can be rolled our to employees as well as customers.
  • Improved analytics and understanding of your customer environment
    • Most authentication solutions are able to collect a lot of data around both the behaviour of users, and their environment (browser and device information).
    • This is especially true of those that support risk based authentication.
    • If your organisation collects data into a big data platform, then this data can further enrich that, enabling greater analysis of user behaviour, what good / bad looks like etc. (more on this in a later post).
  • Better customer experience
    • Risk and policy based authentication enables decisions to be made based on things like the users historical behaviour, device knowledge, and the action within the application they are performing.
    • This means that for lower risk, known activities from known devices the users interaction with the system may be entirely friction free for them.  ‘Step-up’ authentication can be applied when they step outside of normal behaviour, or want to perform higher risk / administrative type activities.
  • Staying ahead of regulatory requirements
    • Increasingly regulators are starting to require ‘strong authentication’ for customer interactions with an organisations systems.  This is especially true in areas such as banking and payments.
    • Implementing solutions now will save you a rush to meet regulatory requirements in the near future.

I hope from the above that my position on this is clear.. It is time to move away from relying on passwords, and there are huge benefits from doing so.

It would be great to hear from you and to get an idea of how many organisations are genuinely planning to implement more secure and innovative authentication solutions vs. those who frankly have their heads in the sand.




Extending the Perimeter

There are many articles covering ‘the borderless enterprise’ / de-perimeterisation and how the firewall and network perimeter are dead.  For the vast majority of enterprises I fundamentally disagree with this premise.

Most companies have and will continue to have a relatively well defined ‘core’.  This may anything from physical servers in a data centre they own through to a completely ‘virtual’ data centre in a public cloud.  What they all have in common is a set of servers / services and the associated business data that they really care about protect and have enforced rules around what and how things can connect to them.

Even in the supposedly de-perimeterised world of mobile and byod etc. the reality is that most business services will have rules around how they are connected to.  This can range from basic stateful rules that just define the network addresses, ports and protocols that are permitted but don’t do anything to interrogate the traffic that matches these basic rules, through to fully application aware Next Gen Firewalls and Web Application Firewalls that decrypt and inspect the application traffic.

I may to a further post on the subject of ‘the borderless network (or lack thereof)’ at a later date, but now I have outlined my position, that isn’t the main topic of this post.

Currently we have a situation where many companies / organisations have relatively secure, monitored and access controlled core systems that house that the bulk of their data and systems.  However how many organisations consider the security of the devices, browsers and apps that connect to them?

For me this is a clear gap in the majority of organisations security posture!

How many attacks come from compromised devices / browsers / apps connecting to organisations networks?  How much fraud occurs due to compromised end user systems that could be prevented if the compromised systems were detected?  How many attacks or fraud from malicious users could be spotted if the malicious use of the application or malicious tools being used could be alerted on? …

Considering organisations whose customers run their business through mobile or web applications how much more engaged would you be with your customers if you could alert them that their system or application / browser may be compromised?

For these examples, plus some further thoughts I’m currently investigating various ways we can monitor in real time the condition of any web browsers or mobile applications that connect to an organisations web facing systems.  These solutions involve inserting code into web pages that analyses / interrogates browsers, and code in mobile applications that analyses / interrogates the application and mobile device.  They also have various other features such as checksumming the code / application, using PKI for in app / browser encryption, and device fingerprinting.

I think solving this transparently to the end user will drive security insights, improve an organisations security posture and potentially enable closer ties to and trust from customers.

These solutions when linked to some of the current trends in authentication such as geolocation and behaviour analytics can be combined to provide security analytics of a quality far above that which is usually available.

What do you think?

Feel free to contact me via this blog if you’d like to discuss this further or share your thoughts on the security of devices connecting to your organisation.


RSA Security Summit London April 2014 – Keynote 1

First keynote speech of the day, delivered by Brian Fitzgerald, VP RSA Marketing

Security Redefined: Managing risk and securing the business in the age of the third platform

1st platform – 1970s – mainframe / mini computer – Terminals – Very high level of IT control – Millions of users, thousands of apps.

2nd platform – 1990 – LAN / Internet, Client / Server – PC – High level of IT control – Hundreds of millions of users, tens of thousands of apps – IT controlled; Perimeter bound

3rd platform – 2010 – Mobile / Cloud / Big Data / social – Mobile devices – Low level of IT control (especially end points, and cloud hosted solutions) – Billions of users, millions of apps – User centric; Boundaryless


Increased complexity and less control increases the need for analytics and intelligence.  Moving more from control to governance.

A new security world – becoming increasingly difficult to secure infrastructure.

Must focus on what is persistent; ensure we have control and visibility of

  • People
  • Flow of data
  • Transactions

A new security approach is required;

–          Move from Prevention (signature based) to Detection (intelligence driven)

Intelligence is a game changer – much data that we do not consider ‘security data’ is or will become security data – key to identifying unusual behaviour in the environment.

RSA’s Focus Areas;

–          Advanced Security Operations; Detecting and stopping advanced threats

–          Identity and Access Management; Securing the interactions between people and information

–          Fraud and Risk Intelligence; Preventing online fraud and cybercrime

–          Governance, Risk and Compliance; Understanding and managing organisational risk

In short IT is becoming increasingly distributed and complex, while at the same time moving out of the direct traditional control of IT and Security.  We must move to improving our visibility and ability to analyse data, along with the incident response people and processes to back this up and deal with the inevitable breaches.