Skip to main content

Passwords And Why They're Going Nowhere

Passwords have been the bane of security implementers ever since they were introduced, yet still they are present on nearly every app, website and system in use today.  Very few web based subscription sites use anything resembling two-factor authentication, such as one-time-passwords or secure tokens.  Internal systems run by larger organisations implement additional security for things like VPN access and remote working, which generally means a secure token.


Convenience Trumps Security

Restricting access to sensitive information is part of our social make up.  It doesn't really have anything to do with computers.  It just so happens for the last 30 years, they're the medium we use to access and protect that information.  Passwords came before the user identity and were simply a cheap (cost and time) method of preventing access to those without the 'knowledge'.  Auditing and better user management approaches resulted in individual identities, coupled with individual passwords, providing an additional layer of security.  All sounds great.  What's the problem then?  Firstly users aren't really interested in the security aspect.  Firstly, users aren't interested in the implementation of the security aspect.  They want the stuff secure, they don't care how that is done, or perhaps more importantly, don't realise the role they play in the security life cycle.  A user writing down the password on a post-it is a classic complaint of a sysadmin.  But the user is simply focused on convenience and performing their non-security related revenue generating business role at work, or accessing a personal site at home.


Are There Alternatives & Do We Need Them?

The simple answer is yes, there are alternatives and in some circumstances, yes we do need them.  There are certainly aspects of password management that can help with security, if alternatives or additional approaches can't be used or aren't available.  Password storage should go down the 'hash don't encrypt' avenue, with some basic password complexity requirements in place.  Albeit making those requirements too severe often results in the writing down on a post-it issue...

Practical alternatives seem to be few and far between (albeit feel free to correct me on this).  By practical I'm referring to both cost (time and monetary) and usability (good type-I and type-II error rates, convenient).  So biometrics have been around a while.  Stuff like iris and finger print scanning as well as facial recognition.  All three are pretty popular at most large-scale international airports, mainly as the high investment levels can be justified.  But what about things like web applications?  Any use of biometric technology at this level would require quite a bit of outlay for new capture technology and quite possibly introduces privacy issues surrounding how that physical information is stored or processed (albeit hashs of the appropriate data would probably be used).

There are also things like one-time-passwords, especially using mobile phones instead of tokens.  But is the extra effort in deployment and training, enough to warrant the outlay and potential user backlash?  This would clearly boil down to a risk assessment of the information being protected, which the end user could probably not articulate.


Why We Still Use Them...

Passwords aren't going anywhere for a long time.  For several reasons.  Firstly it's cheap.  Secondly it's well known by developers, frameworks, libraries, but most importantly the end user.  Even a total IT avoider, is aware of the concept of a password.  If that awareness changes, there is suddenly an extra barrier-to-entry for your new service, application or website to be successful.  No one wants that.

Thirdly, there are several 'bolt on' approaches to using a username and password combination.  Thinking of things like step-up authentication and knowledge based authentication.  If a site or resource within a site is deemed to require additional security, further measures can be taken that don't necessarily require a brand new approach to authentication, if a certain risk threshold is breached.

As familiarity with password management matures, even the most non-technical of end users, will become used to using passphrases, complex passwords, unique passwords per applications and so on.  As such, developers will become more familiar with password hashing and salting, data splitting and further storage protection.  Whilst all are perhaps sticking plaster approaches, the password will be around for a long time to come.

By Simon Moffatt


Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.