Passwords hanging around like an ugly old dorm couch

Passwords hanging around like an ugly old dorm couch

Summary: Forrester analyst Eve Maler says passwords will be an authentication method for the foreseeable future, but changes in IT attitudes can make that palatable.

SHARE:
TOPICS: Security
18

Just when hope and Mat Honan had the password a few nails short of a closed coffin, we get this word from Eve Maler, who has an impressive resume as a big thinker in the identity community and is now at Forrester Research: "I don't buy the whole 'the era of passwords is over' thing."

Since I know Maler to be fair, level-headed, and thorough, it’s worth stopping to listen.

"I can't see a future where static shared secrets don't form a part of authentication strategy," she told me. "It's a rare multi-factor authentication strategy that doesn't include a password or PIN somewhere along the line as one of the 'things you know,' " she said in her latest blog.

It's not that Maler is willing to settle for what is proving to be a vulnerable computing legacy incapable of standing up to current hacker tools. Or that she thinks the decade-long popularity of 12345 proves its worth as a secure password.

It's because she realizes that passwords, which currently live in a pitch-fork-and-torch world, do have some very appealing qualities that have nothing to do with getting hacked.

She wrote in her blog: "Passwords are too useful to go away entirely, both because it's handy to be able to synchronize authenticator data between cooperating systems (and people), and because people find using passwords to be less invasive, fiddly, or personally identifying than a lot of other options."

The fact that "invasive" and "personally identifying" are important concepts in the privacy community lends credence to Maler's argument.

Maler says IT has gotten away from authentication common sense, and that she welcomes this growing discussion around passwords because it fosters new ideas for IT to explore.

"If you look at passwords broadly, make sure you are not depending on them further than you can throw them," she said. "Or if you do depend on them, start to build in ways to routinely rotate them and make sure the rules you have for their  'un-guessability' and 'uncrackability' makes sense [for end-users]."

Maler is starting to hear that companies that have deployed two-factor authentication are beginning to take long looks at adding a federation project to the mix.

"We'll probably see more federation as a result of relying on passwords less and moving to additional things in the authentication chain. Not necessarily replacing passwords, but adding to them," she said.

Back to level-headed and thorough, Maler isn't just telling the world to "buck up."

She's put out three suggestions to start 2013 and perhaps it will become a sort of support-group meme until log-ins (authentication) and access control (authorization) can get to a better place.

Here are her suggestions (if you want the full explanation, visit her blog):

  • Don't depend on passwords alone for sensitive operations. Leverage risk-based authentication to put multiple authentication factors into play in a way that inconveniences your users as little as possible.
  • Stop forcing users to thread the needle of your password policies. Password policies are well intentioned, but often misguided.
  • Consider "push" models for refreshing user passwords. People really, really hate changing passwords. That's because we've put the onus on them to do all the work.

Topic: Security

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • password policies

    "Password policies are well intentioned, but often misguided."

    Agreed. The quality of password policies varies greatly - and I've encountered horrendous policies that actually hurt security more than they help.

    Maximum acceptable password lengths, for example. Or not allowing certain characters. Those actually serve to decrease the password strength, and punishes people who really care about making passwords secure.

    "People really, really hate changing passwords."

    Constant changing of passwords is unnecessary anyways, especially if you enforce stronger passwords. 12345 should not be allowed as a valid password to begin with.
    CobraA1
    • Not always true

      Yahoo, among others, has had their parts of their password database stolen and posted online. No matter how strong your password is, if that happens, you're exposed. By regularly changing your password, you limit the impact of that.

      That said, the only way one can really do this is to have a password database that itself has a relatively strong password....and presumably a backup in case you lose your HD or the thumb drive that it's on.
      notsofast
    • I should add

      I totally agree about that they shouldn't limit the type of characters allowed. With auto generation of passwords, every character, including white space, all special characters and control characters should, be allowed. Lengths should be allowed up to at least 30 or 40 characters and 255 would be even better. At some point, the length doesn't matter, because you don't actually know the password yourself.
      notsofast
      • "You totally agree"...

        with what? Nobody is saying they should not restrict them at all. They are saying that the existing schemes for imposing rules to try to boost entropy are mostly failures, which is true.

        That is, if a user is going to insist on a password that is 12 characters or less, then they DO have to use non-alphabetic characters to boost the entropy. But it they are willing to type 20 characters, they should be allowed to use only alphabetic characters.

        And yes, the breaking point really is at least 12 characters now. 8 character passwords are much too short, even with spaces, numbers and punctuation included.
        mejohnsn
  • Great perspective

    One comment though, Eve works for Forrester Research, not Forrest.
    bethinsf
  • The single biggest thing IT can do to increase password

    robustness is encourage the use of passphrases and stop this asinine nonsense of require at least one capital letter, at least one number, etc. Just let me type in something like Four horses of the apocalypse man but this job sucks. I can guarantee you that will never get cracked, so there's no need for you to make me change it every thirty days.
    baggins_z
    • To @baggins_z:

      Hear, hear!
      fjpoblam
    • Passphrases

      Absolutely.... passphrases need to be encouraged more in the enterprise... it matches the way the user's brain thinks and works...
      Kia Ora IV
    • Not True Anymore.

      As long as the prsumed most likely method of attack was "the cracker tries to access your account through the same UI you use, entering the password over and over until he gets it", the procedure you describe provided sufficiently high entropy to provide effective protection. But that is not the major attack vector now. Now we have to worry more about someone who steals the 'salt' (or whatever the relevant OS uses) for all the passwords, and runs a dictionary attack on it. To stop that attack, we need MUCH higher entropy.

      Then again, the schemes you criticize do not provide that higher entropy either: IT staff insist on them out of their own ignorance of real security measures.
      mejohnsn
  • Matching the way the user's brain thinks and works

    @Kia Ora IV: Hear, hear. And for starters, stop presenting users with reasons to work *against* your goals. (Thanks to John for bringing my post to the ZDNet community! I've got some research under way to take this to the next level...)
    xmlgrrl
  • Need effortless password managers

    With the number of passwords we need these days password management software is required. But current solutions just don't work well. I use Lastpass and like it but most of the non tech people I know couldn't/wouldn't take the time to make it work for them.

    The industry needs to put protocols in place so that password managers can work effortlessly every where. Without this we will never get away from password written on sticky notes placed on the monitor.
    mars4
    • An even Bigger Problem with "password managers"...

      is: how do we know they are really keeping our passwords secure? Without competent third-party verification of the security of their code, I see NO good reason to trust them. Especially not since if their use ever does become widespread, then they become a very valuable target for hackers to attack.

      This is not paranoia, it is natural for anyone who really understands security protocols.
      mejohnsn
  • Conflicted

    A big problem is the number of incompatible passwords users need to have. Unless the user lives in a cave, they likely have twenty to thirty or more accounts, and a result a multitude of passwords. So they write them down on what shouldn't be called a password list, but a reference list. To easy to steal this.

    Regular updating of passwords isn't going to happen if the user needs to go to dozens of accounts. A global ldap like solution, eg open id, that required real passphrases and regular updates would help.
    tarapup
  • Passphrases in non-IT world

    This reminds me of a joke often used in comedy skits. The authority figure (boss, parent, etc.) demands that the subordinate (employee, child, etc.) let him/her in. The subordinate, being "cute", demands the password. The authority figure replies something like "Let me in or you're ... (fired, busted to private, getting a big spanking, etc.) and the door opens!
    jallan32
  • Password expiration

    Password expiration - especially for computer log-in INSIDE an already well protected intranet - only makes users write down their passwords on sticky notes. Real secure, there.
    WozNotWoz
  • Oops, typo

    I forgot the last quotation mark above, but you get the idea.
    jallan32
  • Long Live the Password

    Maler is absolutely correct; it is the nay-sayers predicting the death of the password who have been completely wrong all this time.

    After all, as we can see from Maler's short list of how to use passwords, it is not hard to see that the security failings the nay-sayers mention have NOT been the fault of the basic password architecture, nor of the users, but of IT staff who for various reasons insisted on bad password policies.

    What "bad policies"? The ridiculous rules various IT people have imposed on rulers allegedly to make the passwords more secure, for starters. Even Oracle has long had a bad habit of forcing people to change their password every few months, and then rejecting the new passwords because it did not meet their arbitrary and even concealed requirements. But the whole idea of doing this is based on a severely flawed idea of how to make cracking hard in the first place.

    Nor was Oracle alone. Lots of people have insisted on rules for new passwords which actually decrease entropy instead of increasing it. Worse yet, they made it hard for users to remember the passwords, which defeats the whole purpose.

    As if this wasn't bad enough, as if they wanted to add insult to injury, after making nuisances of themselves with counterproductive requirement, these IT people then got careless with the password files, leaving them in places where an attacker could easily snatch the whole file and do a dictionary attack against it on his own machine at his leisure.
    mejohnsn
  • Password

    for those who care I co-authored a very invasive program that lets the user create their own set of characters in a ms.paint type box their characters are then used as their password, protocolls insist that characters must meet or exceede atleast 20 out of 32 character regulations that the program uses.


    THE AMAZING PART IS IN THE FACT THAT THE PROGRAM'S ENCRYPTION DOSENT EVEN TOTAL UP TO 11BIT ENCRYPTION, YES THAT'S ELEVEN BIT ENCRYPTION

    TODATE AROUND 15000 SELF PROCLAIMED HACKERS AND OR IT SECURITY TYPE PEOPLE HAVE TRYED TO CRACK THE CHARACTER/SECURE PROGRAM AND NO ONE HAS MANAGED TO CRACK THE PROGRAM YET, THE CLOSEST TO CRACKING THE PROGRAM IS WITHOUT A DOUBT MY 3 YEAR OLD STEP DAUGHTER WHO CORRECTLY ENTERED 8 OUT OF 9 CHARACTERS WHEN SHE DROPPED MY TABLET ON THE FLOOR AND STOMPPED ON IT SEVERAL TIMES..!!!!!

    THE PROGRAM STILL REMAINS """HACKPROOF""" """CRACKPROOF""" """JACKPROOF""" and """FOOLPROOF"""
    BELIVE ME OR NOT / I DONT CARE
    EM_ROF_LLA