Understand the difference between Password Authentication and Password Management
Don’t kill passwords because the industry is confused between password authentication and password management. In their latest “2016 Data Breach Investigation Report,” Verizon spells out the most common ways credentials get stolen: key loggers, malware, social engineering and phishing. Nothing new there. Verizon also concludes that 63% of confirmed data breaches involved a hacker leveraging weak, default, or stolen passwords. Again, not a huge surprise. The report’s Earth shattering recommendation was… “user names and passwords are great for fantasy football leagues, but there needs to be stronger authentication.” The truth is, the problem is way more complex than simply killing passwords.
The report failed to clarify why attacks on passwords are so successful. Hackers simply go after the weakest link in the cybersecurity chain: humans. The problem is not the viability of password authentication; it’s how passwords are managed. Specifically, who manages them and what technologies (if any) are used for the job. You don’t kill passwords just because they are poorly managed. Instead, you fix the management.
Password Authentication vs. Password Management
The one phrase I say at least ten times a day is, “We don’t have a password problem. What we have is a password management problem!” That’s because there is a big difference between the viability of a security element and how that element is safeguarded. It doesn’t matter how good any component is in theory, if it is poorly implemented, managed and safeguarded it is domed to fail. Let’s look at defining these two password functions.
Password Authentication is the Knowledge component of the three factors of authentication (the other two are possession i.e. cards, and inheritance i.e. biometrics). These factors of authentication are used to identify, with a reasonable level of assurance, that the person or device requesting access is who they say they are. Each factor brings its own unique advantages and disadvantages to cybersecurity. The Knowledge-based factors allow for fast and easy changes, is already a part of most operating systems and applications, is secret to the user, and is a very familiar form of authentication to most computer users.
Password Management defines how securely that Knowledge is generated, entered, and stored. When the same password is used everywhere, that’s management. When passwords are shared or revealed, that’s management. When password files are stored in unprotected servers and the files are not encrypted or salted, then that too is a management issue. The attacks that Verizon highlights are all targeted at the management of passwords.
Solutions like certificates and Public Key Infrastructure (PKI) get tossed around as if they are cybersecurity’s saviors. That’s not necessarily the case. What makes PKI secure is not the encryption algorithms (everyone knows them), the prime numbers used to generate the key pairs (there are only a finite number of those), or even the infrastructure (complexity adds vulnerability.) One important component that keeps PKI secure is how the private key is protected. When a private key gets compromised, the entire authentication infrastructure becomes useless. That’s why Key management is very important to PKI. Likewise, you don’t kill passwords when password management is secure.
In a recent Computerworld article, “Quantum computing has the cybersecurity world white-knuckled“, Michele Mosca, co-founder of the University of Waterloo’s Institute for Quantum Computing and special advisor on cybersecurity to the Global Risk Institute warns that in ten years there’s about a 15% chance that public-key cryptography with be broken. In fifteen years it jumps to 50%.
I want to be clear on an important point. I am not comparing the functions of PKI to passwords. PKI is an entire infrastructure of many technologies leveraged together so that (ideally) each technology’s weakness is offset by another technology’s strength. Passwords should be compared to only one aspect of PKI: the Private Key. The Private Key is the secret component within PKI, just as a password is the secret component to Password Authentication. Users don’t know or type in their Private Key, so why do users have to know or type in their password? To a computer, both Private Keys and passwords are nothing more than a long string of 0’s and 1’s. There is no reason that a password cannot be as long as any Private Key. By using similar methods, hardware and software that protect Private Keys to protect passwords, a hacker ability to steal a password decreases exponentially. When password management is secure then you don’t kill passwords.
Don’t kill passwords?
In my new book, Making Passwords Secure: Fixing the Weakest Link in Cybersecurity, I introduce a new concept called Password Authentication Infrastructure (PAI). This is where the best attributes of many different technologies are brought together to strengthen passwords and password management. It combines multi-factor authentication, Secure Hardware Modules, password management tools, data encryption, secure communication channels, and a whole lot more. I also expose the many myths, errors and lies regarding the security of passwords, as well as detailing solutions that make passwords secure.
Here are four important suggestions:
- Stop users from knowing, remembering, typing, generating, and managing their own passwords.
- Utilize the same techniques and technologies used to protect PKI Private Keys to also protect and manage passwords.
- Use an encrypted, multi-factor, enterprise password manager.
- Stop relying on single factor authentication, and instead move to Multi-Factor Authentication
To learn more about how to create and implement a secure Password Authentication Infrastructure (PAI), click here.
Passwords are not going away. Nor should they! Attacking a secure methodology without understanding the real problem is stupid because it weakens all the available option for cybersecurity. There is no silver bullet, one size fits all solution to prevent all the cyber attacks that have been occurring. Choosing the right security is based upon the treat assessments, budgets and valuation. Remember, when you read or hear another news report about a cyberattack where passwords are blamed, ask yourself, “Was that a Password Authentication problem or a Password Management problem?”
Dovell Bonnett – “The Password Guy”
Dovell Bonnett has been creating computer security solutions for over 20 years. His passionate belief that technology should work for humans, and not the other way around, has lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks.
He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. The most famous example of his work is the ID badge currently carried by all Microsoft employees.
In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is a multi-factor authentication, enterprise password manager used by corporations, hospitals, educational institutions, police departments, government agencies, and more.
Dovell is a frequent speaker and sought-after consultant on the topic of passwords, cybersecurity, and building secure, affordable and appropriate computer authentication infrastructures. His most recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity.