Recently the topic of weak passwords (= hacking made easy), has reared its ugly head once again.
You probably mumble now – please don’t let it be yet another passwords related post, we already know our passwords are weak, hackers can (and will) share our identity and we are all going to die…
Unfortunately I could not resist.
As long as users are responsible to create their own passwords, it will not matter how high the security walls are built. Let’s face it - we all want the ultimate user experience, just let me use the service without the entire authentication mumbo jumbo. When it comes to passwords, most of us create simple passwords, don’t change them at all, and use similar passwords for all our accounts (where possible). And BTW – since forgetting passwords is a hassle we tend to conveniently write it on a piece of paper or simply save it in a file on our computer (the sophisticated among us might even “hide it” by not placing it on the desktop).
Through the years many vendors attempted to tackle this issue introducing a slew of solutions - secret questions, images, graphics, second passwords, and the list go on and on. These are all just sophisticated passwords (password 1.0, password 2.0 or password 3.0), still subjected to the users will/motivation.
Security experts in the audience will explain that regardless of password strength or rotation frequency, hackers will manage to break them. Terms such as session hijack or Man-in-the-middle will be used to further scare us. I must admit it is all true, however with so many identities out there you simply need to be slightly better than your neighbors to postpone destiny (like the well known joke about two friends, a jungle, a hungry lion and a pair of running shoes). In addition, a large customer recently confessed that changing passwords every 90 days addressed a very large portion of their identity problems. Today I read that Twitter asks users to reset passwords after possible phishing attack (http://tinyurl.com/yhmn9y8).
So why do we consistently write about it for years and years? Is it because there is no solution for the problem? It keeps changing on us? The solutions provided by vendors are not valid anymore?
Well, as I have already stated the root cause of this problem is us, the (lazy) users. Once this parameter will change the problem will simply go away (flying angles play harp, rainbow in the background).
A quick recap:
Problem – weak passwords = hacking made easy
Root cause – us, the (lazy) users
Solution – replace us, the (lazy) users
Problem solved, moving on!
How can we replace us, the (lazy) users in a process intended to authenticate us (the …)?
While there are many solutions out there strengthening user authentication (e.g. out of band), I’ll mention two ways to better manage authentication:
1. Software replaces users – software manage the entire authentication process, including password generation (a non-lazy program will ensure password strength), maintenance (frequently modify) and seamlessly login. Implemented right this will address the challenges previously described and improve security while reducing the hassle.
2. Behavioral characteristics – base authentication on user’s behavioral characteristics/patterns, rather than parameters subjected to his will. Answer the question “who he is” (I’m not referring to physical aspect such as fingerprint) rather than “what he knows”.
Consumers are mainly concerned with their own identity. For enterprise the problem is a hairy one. Organizations measure everything using the “risk lenses” (and they should), therefore not all identities are born equal. While most identities are associated with “real” employees, some such as shared administrative accounts are not tied to any particular “real” identity. The paradox is that while the number of these accounts is relatively small the risk associated with their capabilities is huge.
Recently we’ve heard of a financial services company with poor password management controls for shared administrative accounts that resulted in a data breach affecting 1.2 million of their customers. The realization of this challenge contributed greatly to the spike of the PIM (privileged Identity Management).
My recommendation for organizations is: “worry when you should worry, don’t worry when you should not worry”. Brilliant, isn’t it? A more professional way to put it will be: your security controls should be proportional to the risk. While providing better password management capabilities and controls for the entire organizations has value, you lose focus on your priorities. Focus stands for better controls in a timely manner for the high risk accounts.