Passwords. For all the talk about two-factor and multi-factor authentication, to mainstream adoption of biometrics, passwords are not going away.
While there are more secure alternatives and other authentication methods that can be used alongside the humble password, like it or not, the password is going to be around for a long time to come. More focus is needed on how to make passwords ‘work’. For the vast majority of applications, they’re all we’ve got.
The truth is there’s nothing wrong with passwords. The problem is people. Users select passwords that are too simple, too short and too predictable.
To make things worse (for themselves), users reuse the same passwords across different systems and services. Attackers who gain access to one service can then sign in freely to email, social media, online shopping and even mobile phone and bank accounts. Despite attempts to educate people on the importance of using even relatively long, complex, random unique strings, they don’t. And they rarely change them.
So what if we could improve the way in which passwords are implemented and take responsibility for selecting and changing them regularly away from the user entirely? Security – and the user experience – would be improved significantly.
Password management solutions are not new and fall broadly into two categories:
• Consumer password managers that help individuals create, store and recall passwords, but still rely on the user to change them regularly. Users still know what their passwords to systems and services are.
• SSO solutions that cater to the needs of enterprises and the applications they use. Whilst SSO solutions cover major business applications that support federated identity standards, they often don’t support the thousands of non-standard, smaller web applications.
If an SSO solution can automate the selection and changing of passwords – and ensure that passwords are not only as long and strong as the applications will support but also unique across all accounts – then the inherent human weakness is minimised or eliminated.
This moves passwords closer to the tokens and assertions that are used in federated identity and authentication standards, including SAML and WS-Federation. Pre-defined trust between the identity provider and service provider, typically based on a shared certificate, is mimicked by either having the user enter their current (initial) password so that the SSO solution can subsequently change it, or the SSO solution may provision the account and set the password from the outset.
There is a secondary benefit to improving the strength and uniqueness of credentials on individual user accounts.
A significant percentage of large-scale breaches share something in common. According to the Verizon 2014 Data Breach Investigations Report (DBIR), two-thirds of breaches exploit weak or stolen passwords – compared to 76 percent in 2013 (perhaps education is starting to have an effect after all).
The attack on JP Morgan affecting 75 million customer accounts started with the compromise of an employee’s username and password for a “web development server.” In the now well-documented anatomy of an attack, once initial access had been gained, the attackers escalated privilege, obtaining credentials to further administrative accounts to eventually effect the large scale theft.
The risk of experiencing a data breach is now higher than ever. Removing human interaction with passwords and automating their selection and change is a major step forward on several levels. It protects the individual by ensuring that when the next large scale breach occurs the password stolen is unique and not reused across multiple services and – if applied to internal accounts on internal systems – may slow down the attacker and even prevent the breach from happening at all.
How much do you know about Internet security? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…