This post is a reproduction of an article I wrote that was originally published in Business Computing World.
“When you play the Game of Thrones, you win or you die”. One thing that we have learnt from the popular TV show and books is that no one is safe on the throne for long before a younger, stronger, and more entitled claimant comes along to throw you off.
In the authentication battle, passwords have been ruling the kingdom for centuries with methods going back as far as 700 BC when the Spartan military used encrypted scytales to send sensitive missives during war. Despite the historical use of passwords, the overthrowing of this form of authentication has been predicted and heralded for some time now.
In fact, the death of the password has been in discussion for over a decade now. In 2004, Microsoft Chairman Bill Gates predicted the death of passwords and following on from this in 2006, claimed that the end to passwords was at sight.
What Do We Have Against Passwords?
Key arguments for password alternatives relate to better security and convenience – with the proliferation of online applications, passwords now occupy so many aspects of our lives. Remembering a dozen passwords is impossible, storing passwords invites trouble, and managing them manually is a pain.
With high profile security breaches involving stolen identities; attacks on financial institutions, among others, it’s no wonder talk of password replacement captures interest. These security breaches also invite discussions on password replacement and raises the key question: do we have viable alternatives if passwords are put to the guillotine?
Pretenders To The Crown
Biometric authentication, iris authentication, facial authentication, various forms of multi-factor authentications, and even authentication through devices like watches, jewellery, and electronic tattoos are all being discussed. Touch ID became reality to consumer devices when unveiled as a key feature on the iPhone 5s.
Worryingly, some of these alternative authentication methods have been cracked already even before they could be adopted widely. A few years ago, a group of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.
So while we still may get a viable replacement for traditional passwords in the future, in reality, the predictions largely haven’t yet materialised. Passwords are still the most prominent method of authentication to date, and this is largely due to the viability of alternate approaches, which are mostly expensive, require additional hardware components, are difficult to integrate within the existing environment, or are not easy to use.
Passwords Aren’t The Problem, Management Is
In our revolt against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere. They store passwords in text files and post-it notes; share credentials among the team members; and pass them over emails or by word of mouth.
Passwords of enterprise IT resources are often stored in spreadsheets, text files, home grown tools, or even in physical vaults. Passwords are further compromised in IT divisions that deal with thousands of privileged passwords, which are used in a ‘shared’ environment.
Real access controls do not exist and passwords of sensitive resources and applications remain unchanged for long periods of time. Poor password management practices like these invite security issues and other problems.
Cybercriminals use a raft of techniques, and their attack patterns continue to evolve, one of which is siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers and Remote Access Trojans (RAT).
Once the login credential of an employee or an administrative password of a sensitive IT resource is compromised, the institution is vulnerable. The criminal can initiate unauthorised wire transfers, view the transactions of customers, download customer information and/or carry out sabotage.
A word of caution – hackers don’t always come from the outside. Of important consideration is the emerging threat of insider sabotage – caused by disgruntled staff, sacked employees, or entrepreneurial ‘opportunists’. Anyone who has access to privileged passwords – the ‘keys to the kingdom’ – is in a position to misuse them, whether intentionally or unintentionally.
So What’s The Answer?
Bolstering internal controls holds special significance in light of the recent attack trends. Access to IT resources should be strictly based on job roles and responsibilities, supplemented with clear-cut trails that reveal ‘who’ accessed ‘what’ and ‘when.’
Likewise, password sharing should be regulated, and a well-established workflow should be in place for release of passwords of sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.
Most important is staying vigilant. Too many security incidents occur as a result of lax internal controls — and while passwords often get the blame, it’s really poor password management that’s the culprit. So, for now at least, it appears that passwords will live to fight another day.