Passwords will never die!
White House cybersecurity coordinator Michael Daniel stated at the 9th annual Identity Ecosystem Steering Group’s conference, “I often say that one of my key goals in my job that I would really love to be able to do is to kill the password dead.”
Really? With all the attacks and hacks coming from foreign governments, organized crime, hacktivists and terrorists, you want killing passwords to be your key goal? Multifactor authentication consists of three parts: Something you Know, Have and Are. Passwords are the something you Know so by killing passwords you weaken authentication.
Mr. Daniel continued by stating, “It’s one of these interesting situations where everybody knows that the passwords are terrible, and yet they remain the most prevalent security method we have.”
Passwords aren’t terrible. Placing security responsibility on the weakest link in the chain (the employee) is terrible. Employees pick terrible, insecure passwords. They write them on sticky notes. Employees use the same password on multiple sites, and they type them into malware-infected computers. In other words, employees are terrible password managers.
Passwords are pervasive because they are the only form of multifactor authentication that are easy to change and inexpensive to implement. Where digital certificates are concerned, they cost time and money to implement. Changing a person’s fingerprint is, of course, illegal. Changing biometric algorithms requires complete system and network updates. And changing private keys is cumbersome because you end up managing multiple keys to access historical data. Well managed passwords with a smartcard, encryption, hashing and strong policies are very secure.
Mr. Daniel also argues that as cyber-attacks become more sophisticated and destructive, cybersecurity is jeopardized by “exploiting weak password or stolen passwords.”
It’s true that cyber-attacks, through passwords, have the highest intrusion rate. That’s because they are also the most widely used form of authentication. But when Daniel said “exploiting weak passwords or stolen passwords”, he identified that the true culprit is not the password, but rather the management of passwords. Weak passwords are a user management issue. Stolen passwords are an IT management issue.
The alternative would be to implement a national cyber security ID that utilizes digital certificates and Public/Private key pairs. One organization our current administration has tasked with this is the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls for agencies to collaborate with industry to develop an “identity ecosystem.”
Guess what, passwords are just a series of characters that are then converted into a long string of 0’s and 1’s that are then stored in a computer or server. This string is then compared to what the user enters. If they match, they’re in; if not, they try again. I hate to break the news to Mr. Daniel, but public keys, private keys, digital certificates and biometric templates are ultimately also just a string of 0’s and 1’s.
Here’s what I think about password security:
- Passwords are secure! What’s insecure is how they are currently managed, both by the user and by IT. Users will create passwords that are easy for them to remember. They will write them down on notes, and will use the same one for their bank accounts as well as their chat board. IT often stores passwords in a database that is either not encrypted and/or not salted.These are all examples of insecure management, not the insecurity of passwords as a means of authentication.
- Private keys and biometric templates are perceived to be more secure than passwords. However, what makes keys and templates secure is the data protection infrastructure that consists of isolated data files, smartcards, cryptographic communications channels (i.e. SSL), data encryption and hashing protocols. By implementing these same measures with passwords, passwords become just as secure. Because passwords leverage off much of the existing software authentication infrastructure, the cost of secure password integration is very low.
- Strong certificate based authentication is no stronger than a strong password. What makes certificates strong is how the private key is protected. However, once a private key is exposed, hackers will have access just as if they had stolen a password. Again, the security is in the management!
- With all the revelations from Snowden and the NSA spying allegations, a strong, ever changing password may actually be more secure than a government-generated certificate, which is likely to have a backdoor. At least with a strong 500 character password (which is doable with an enterprise level password manager solution like Power LogOn®), you’re going to have to make the NSA work a little harder to break in.
- Finally, passwords make up one leg of the multifactor authentication stool, something you Know. By removing this leg, authentication is left with the two most expensive legs: something you Have (a NSA issued credential) and something you Are (biometric).
Cybersecurity consists of many different policies, layers and parts that all have to work together. While there is no single silver bullet solution, it has always been my belief that security starts before the firewall by first correctly authenticating the person seeking access into the network. Once they are inside the network, it can be much harder to detect and stop an attack. The weakest link of any security architecture will bring down the entire system. It’s always been a race for IT to finding those weak links before a hackers does.
I’ve made my case above that blaming passwords is wrong. While there are different authentication solutions available in the market, passwords are a strong, viable solution. The real security issues are allowing employees to manage passwords and IT not properly protecting password data.
To quote Merlin Hay, Lord of Erroll (Director, EURIM, Member of the House of Lords), “The greatest cybersecurity threats are stupidity, apathy and complacency.”