Is The Password Dead?

Uploaded on 2016-01-13 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Will 2016 be the year when passwords become obsolete? Or will we just continue to grin and bear it? And what’s the matter with passwords, anyway?

Passwords have been around a long time (think about soldiers entering armed camps at night and giving the secret password), but today, the average consumer uses 25 or more sites and apps that rely on passwords. A strong password is a dozen or more characters of letters, numbers and punctuation, even those with the best memory would struggle to recall that many strong passwords.

In a data breach, such as the ones that have occurred at eBay (145 million users), Adobe (36 million users), JP Morgan Chase (76 million users) and many others, passwords are frequently the target. Even though good security practice requires sites to store passwords only in a “hashed” form (cryptographically transformed so they can be recognized when a user logs in, but not read directly), attackers often obtain a database dump containing the hashed passwords.

If the hashing process is done correctly, by the site operator, reconstructing passwords is difficult and time-consuming, yet not impossible. And, unfortunately, we keep finding major sites that have not properly hashed, making password retrieval quick and easy. Attackers who succeed in reconstructing a user’s password are likely to then try it on other popular sites and apps. So it isn’t safe to use the same password, or simple variations, everywhere.

Better forms of authentication have been available for years — so why are we still using passwords?

Biometric sensors are becoming more main-stream and are increasingly found on more devices, unfortunately, none of them can fully replace the password on its own. None of these “better” alternatives, such as fingerprint biometrics, facial recognition, iris scans, voice recognition, etc. — can work everywhere (on every device, under all lighting conditions, in both quiet and noisy environments, when your hands are full, etc.).

A full replacement for passwords would also have to be able to scale up and down for convenience versus security — quick and easy for low-risk situations, tougher and possibly more time-consuming for the crown jewels.
But what if you could combine any or all of those authentication factors, under your own control? You’d be able to pick factors that work for whatever environment you’re in at a given time, and that strike the right balance of security and convenience for whatever you’re doing — whether it’s logging into Pinterest or transferring funds from your bank account.

Why are we still using passwords?

Better yet, what if you could combine these biometric authenticators with “passive” factors that require no effort, like identifying which Wi-Fi network you’re on, or which city you’re in or whether your Bluetooth wearable is connected — again, under your own control and respecting your personal preferences?

There might be some low-risk situations (like logging in to Pinterest) where you’d want to use passive factors alone, and simply be automatically logged in without having to lift a finger. And when the stakes are higher, the passive factors would add additional security and confidence above and beyond the more active biometric authenticators you’re using.

That’s “multi-factor authentication,” and if it’s starting to sound like a powerful solution that could potentially replace passwords, then consider how much better it would be if it could also be strongly locked to your personal devices, so that even if an attacker was able to spoof your face or your fingerprint and use your Wi-Fi network, they would still be blocked because they weren’t using your laptop.

That’s possible today, thanks to hardware-based “device authentication,” which can make your laptop or your phone prove its identity using features built in to the CPU, at the same time that you prove yours with a fingerprint or another biometric. Just like the passive factors that I talked about above, device authentication can add stronger security without any impact on speed or convenience.

But to be of real value, a solution like this has to work right away, on the websites and apps that you already use, without waiting for the operators of all those apps and sites to update to a new technology. To do that, it would also have to be able to wrap itself around all your current passwords and manage them painlessly until they can be completely eliminated.

For that to be easy and convenient, it would have to understand the structure of the websites and apps you use, so that it could save your passwords (in securely encrypted storage) when you use them and, from them on, every time you revisit each of those sites, it could automatically enter your password into the login form on your behalf.
And finally, what if we could also eliminate the easy-to-guess “account reset questions” that are the Achilles’ heel of many systems that try to help manage passwords? That would protect you from “social engineering” attacks in which hackers use social media or other research, to find the answers to your reset questions, then take over your account.

How can those questions be eliminated? Using the same biometrics, passive factors and device authentication methods we’ve already discussed — all of those are authentication factors you can’t forget!

That’s what I think the next generation of solutions will look like.

So will passwords disappear in 2016? Probably not. But the pain associated with them might.

Techcrunch:

 

« Indian ‘Black Hats' Hack Pakistani Websites
Cyberwar Represents An Existential Threat »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DoD Cyber Crime Center (DC3) - USA

DoD Cyber Crime Center (DC3) - USA

DC3 is a US Department of Defense (DoD) center of excellence for Digital and Multimedia forensics.

Performanta

Performanta

Performanta offer a consultative approach to people, process and technology, focusing on security projects in line with adversarial, accidental and environmental business risk.

Identity Automation

Identity Automation

Identity Automation is a leading provider of Identity and Access Management software.

Cydome

Cydome

Cydome offers full-spectrum cybersecurity solutions tailored for the maritime industry.

PBOSecure

PBOSecure

PBOSecure is a dynamic and progressive IT consultancy company specializing in IT and Industrial Control System (ICS) security.

StepStone

StepStone

StepStone is one of the leading online job platforms in Germany, and other countries, covering all industry sectors including IT and cybersecurity.

Onsist

Onsist

Onsist brand protection services provide proactive defense against fraudulent use of your brand online.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

Redwall Technologies

Redwall Technologies

Redwall provides cybersecurity expertise and technology to prevent and respond to emerging threats against mobile applications and connected infrastructures.

Data Privacy Office (DPO) - Belarus

Data Privacy Office (DPO) - Belarus

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

Cyber Dacians

Cyber Dacians

Cyber Dacians offers Information and Cyber Security Consulting Services. We help you to test the effectiveness of your security defenses and build a secure infrastructure.

Conquest Cyber

Conquest Cyber

Conquest Cyber builds adaptive risk management programs where innovation is most needed – within defense, intelligence, federal civilian agencies and the industrial base that supports them.

Fifosys

Fifosys

Fifosys is a professional technology infrastructure specialist, delivering a broad portfolio of high quality technical and strategic managed services.

Conosco

Conosco

Conosco are industry-leading experts throughout the UK in strategic consulting, project delivery, business communications, support, and security.

Autobahn Security

Autobahn Security

Autobahn Security is a growing team of 80+ experts from 25+ nationalities, established in 5 countries. We’re working hard to make Autobahn Security the No. 1 solution for improved hacking-resilience.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.