Today is “National Password Day” as the security industry and world continues the battle with the dogged authentication method.
Backed by companies including Microsoft, Intel and LastPass, the initiative follows on from stories where “hackers have leaked millions of passwords from sites like Facebook, Yahoo!, and Google”. The website offers basic advice on password security for consumers, but comes after the Heartbleed bug, which may have affected two-third of global websites and compromised millions of passwords.
We have been debating the problem of passwords for some time, and will a day of awareness really change anything? Raj Samani, EMEA CTO of McAfee, part of Intel Security who have been one of the driving forces of password day, said that Intel wanted to provide one place for education and awareness.
“Education in this area is needed, as we consistently see evidence that people are naive about how to create the best passwords for their personal information – just last year it was revealed that 90 per cent of passwords were considered vulnerable because users couldn’t remember them,” Samani said.
So the concept of this companies encouraging consumers to change their thinking around password security and take simple steps to protect their data. Colin Miles CTO of Pirean said that the username and password approach for authenticating users is fundamentally flawed, as it fails to adequately serve the needs of either the consumer or the service provider.
“Users want convenience of access without compromising their privacy or security, while application providers need to ensure only the right people are accessing their services without introducing barriers to access,” he said. “The password model for access was introduced at the very infancy of internet adoption but it really hasn’t scaled to meet the demands of our increasingly connected world.”
Miles said that initiatives to encourage users to undertake good password hygiene are certainly needed, as the password problem is so entrenched in existing technology and services that this is a problem which is not going to go away soon, so the solution should be on modifying user behaviour to make the best of a bad system.
“We are seeing that new, people-centric approaches to security are increasingly coming to the fore. These are the most forward thinking models of all, where the primary challenge is not in respect of how the user should be authenticated, but whether an authentication challenge is needed at all.”
I talked to Steven Hope, managing director of Winfrasoft, who said that there is evidence that passwords remain a huge problem and this will remain a problem for as long as we have unique passwords for everything. “Even with a password, it is a pain to change it as it is a pain and it doesn’t work!”
“Companies use them and they are seen as free, but two-factor authentication tokens are too expensive, so we are stuck with passwords, and it is not good and until the Government puts the message out that we need to get rid of them we are stuck. If you compromise one password often you have got them all, but really it is a case of use them or lock themselves out,” he said.
Hope said that if technology worked, you would not need passwords. “How many passwords do you use in a day? I gave up at a dozen. Until you write them down, how many do you use in a week? If it is stolen how many applications could an attacker get into? We have existed on fixes and it is a nigh
tmare, the only way is to get rid of passwords.”
Last year, the Petition Against Passwords (www.petitionagainstpasswords.com) issued a call-to-action for large consumer sites to implement password-less logins and saw backing from large vendors and the federated identity group FIDO Alliance.
What awareness campaigns do is good, but what we need is to get mainstream support and a solution. Miles said that this may lay in modern Identity and Access Management (IAM) solutions, which he said do offer “a glimmer of hope for a better, best-practice future”.
“Increasingly IAM is being used to help build a better user experience around common security interactions such as registering for access, maintaining accounts or logging on to systems. Through these techniques service providers are able to provide clear, simple paths and journeys for users which can encourage adoption of new, stronger access mechanisms and overcome some of the barriers to entry for many,” he said.
National Password Day is asking users to pledge to use a stronger password. I would prefer it to ask users to ask websites and applications to implement a better form of authentication that does not require passwords at all, as that is surely the only way forward.
Read our interview with Paul Simmonds of the Global Identity Foundation on the future of authentication –https://itsecurityguru.org/gurus/redefining-identity/