Google has been talking about an innovative idea to replace passwords with jewelry — that’s right, jewelry. Actually, the enabling technology could be hidden in jewelry, such as a ring, which would perform secure cryptographic transactions that would obviate the need for the user to enter a password.
Sounds very James Bond, but the technology operates similar to a Yubico key where the key is plugged into a USB port for authentication to other devices and applications. In this case, presumably the jewelry would communicate wirelessly with whatever was trying to authenticate the user. Great idea, until you lose your key (or ring).
Why you’re easy prey to hackers
So why does Google care so much about solving cybersecurity issues? It’s not like Google will see a direct benefit from solving these problems. Google realizes security attacks on businesses and individuals threaten the internet ecosystem that has unfathomably fueled the growth of economies, enhanced the lives of billions and established it as one of the great technology companies in modern history.
And the fact that Google has focused its research on password management suggests that the preeminent Internet company believes that to solve the current security crisis, we need better password management solutions; the corollary is that bad password management is at the heart of many of the high profile security breaches we read about every day.
We’re not just talking about Apple, Facebook and Twitter — all who had very public breaches last year. According to the U.S. Computer Emergency Readiness Team, the number of cyber-attack incidents reported by federal agencies has skyrocketed nearly 800 percent in the past couple years. And by the way, experts believe that only one percent of attacks are ever disclosed — that’s right, one percent.
Perhaps the scariest thing for consumers and business owners alike is that it’s “the little guys” who are increasingly being picked off by hackers as easy prey.
Beyond the “1234” password
Passwords in concept are a great way to secure sensitive technology assets. But that also assumes passwords are used effectively. The fact that “password” and “1234” are still among the most used passwords indicates that people are not using passwords effectively.
It’s not that businesses and individuals don’t take passwords seriously; it is more likely we all suffer from password fatigue — having to remember too many passwords. Think about how many computing devices and applications you access that require passwords. Unfortunately, the antidote for password fatigue is the use of weak passwords, or worse, using the same weak password for all your password-protected technologies. The result, of course, is the epidemic of security breaches we are experiencing.
Even if Google is on the right track with Yubico-type keys, it will take many years to replace the current system. More importantly, many feel that a key or token strategy will only be one part of the access security equation. Keys should be used as part of a multi-factor authentication strategy, which should also include password management software.
Which password manager software is for you?
Password management software comes in many flavors, including password applications for IT teams to secure privileged assets such as critical servers, databases, routers, switches and applications. Vendors providing privileged password management solutions include Cyber-Ark, ManageEngine and Quest Software.
There are also highly-effective password management packages to help the rank-and-file manage their many passwords including LastPass, 1Password and RoboForm. Some password management applications also support shared passwords for groups such as finance that have many of their team members accessing a common resource like a reporting application or credit reporting service.
Good password management software not only enforces best practices for password management, but it removes the burden off the user’s shoulders of remembering long, cryptic passwords or having to change passwords regularly. Most of these applications store the passwords in a secure vault and then give users access to them when needed — in most cases, automatically logging the user into the desired application after being authenticated.
Sophisticated password managers use two-factor authentication (2FA) — by far the strongest password scheme — requiring a password and a passphrase in order to be authenticated. The actual password to the device or application does not have to be remembered by the user; in fact, it is always changing. Twitter and Evernote recently added it following their own public breaches.
You’re not James Bond…use a (strong) password
Passwords aren’t going away anytime soon, and businesses and individuals alike should not wait for replacement technology to start good password management strategies. The fact is, when properly implemented, passwords can dramatically reduce security breaches and loss of sensitive data.
Now, passwords might not be as sexy as 007-inspired jewelry, but I guarantee there are some diamonds in that advice.
Raj Sabhlok is the president of Zoho Corp., which is the parent company of Zoho.com and ManageEngine. Follow him @rajsabhlok.