Passwords are here to stay: get used to it

Passwords are here to stay: get used to it

Summary: It's been mildly amusing to see, once more, a vendor of two-factor authentication call the end of the line for passwords as a security mechanism. We've been around this particular block so many times in the last 20 years that I've lost count.

TOPICS: Networking

It's been mildly amusing to see, once more, a vendor of two-factor authentication call the end of the line for passwords as a security mechanism. We've been around this particular block so many times in the last 20 years that I've lost count.

The latest contributor to this never-ending debate is Steve Watts, co-founder of the tokenless two-factor authentication vendor SecurEnvoy. According to the company's latest press release: "Commenting on reports that a security developer has concluded that password-creation policies are the enemy of secure passwords, SecurEnvoy says that the fundamental issue is that conventional ID/password security is now coming to the end of the line as far as security is concerned."

Ignoring the somewhat tortured press release-speak English, we have here a vendor taking issue with this piece on ZDNet about security developer Cameron Morris. Morris has created an open-source tool called Passfault that predicts the time it takes to crack a specific password -- there's more about it in the article.

Watts' beef is that password strength is a moveable feast and not very well understood, so the answer is obviously something else: two-factor authentication, I suspect. The problem here is that he's confining the scope of the issue to highly controlled enterprise environments. Most two-factor authentication vendors do that too.

There's no doubt that two-factor is stronger than a password alone, especially one that needs to be strong. Weak passwords are clearly to be avoided but their convenience is hard to beat, as strong passwords are hard for most people to remember.

But two-factor authentication may no longer be the solution to this conundrum. Internet services and personal devices like smartphones now find major uses within the enterprise. The reality today is that the division between enterprise and personal environments has all but evaporated. In the course of their jobs, people increasingly access their personal services at work using their personal devices. And enterprises cannot mandate two-factor authentication for access to Facebook, for example, which might well be the chosen method of communication of a key supplier, or a way of communicating with potential customers. All FB wants is a password, and it's not alone.

So I think it's time for security experts to accept that the password is here to stay. As we all know, convenience trumps security any day -- just look at what happens in small companies all the time: sharing of passwords, open passwords, no passwords at all in some cases -- are you screaming on the ceiling yet?

Instead we need to find ways of making passwords work. Personally, I've been through a number of solutions, including a tiny portable password generator that will never, alas, be developed as a cross-platform utility. This has driven me towards KeePass, an open-source password safe which relies on a password to open it -- and you can even boost protection with two-factor authentication. It's cross-platform and has a good ecosystem of plug-ins and other support. Use it together with a cloud service and your passwords are available anywhere.

There are others like it out there but I moot that something like this may well be the way forward in many circumstances.

Topic: Networking

Manek Dubash

About Manek Dubash

Editor, journalist, analyst, presenter and blogger.

As well as blogging and writing news & features here on ZDNet, I work as a cloud analyst with STL Partners, and write for a number of other news and feature sites.

I also provide research and analysis services, video and audio production, white papers, event photography, voiceovers, event moderation, you name it...

Back story
An IT journalist for 25+ years, I worked for Ziff-Davis UK for almost 10 years on PC Magazine, reaching editor-in-chief. Before that, I worked for a number of other business & technology publications and was published in national and international titles.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • What is mildly amusing to me is when someone thinks a strong password is as strong as one may need, when the truth is usernames and passwords are not secure anymore. It has been proven true time and time again. To be best protected with online accounts, people need to look for websites and organizations whom offer two-Factor Authentication technology and activate it where they can telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice. For me, this gives me the confidence that my account won't get hacked and my personal information isn't up for grabs. Oh by the way the social media site you mentioned does offer 2FA.
    Bob luand