Perimeter
9/10/2011
02:07 PM
Taher Elgamal
Taher Elgamal
Commentary
50%
50%

Passwords: Time's Up?

Stronger authentication is a major security issue yet to be solved

Every security consultant, ethical hacker, or not-so-ethical hacker knows that the easiest way to gain unauthorized access to any network is through social engineering. Even the most sophisticated attack is much easier and more destructive when the attacker gains access to a password to some account or system on a network. The most deadly of these are root or "super-user" passwords that administrators use to manage the network.

It really is imperative that the industry collaborates to move away from password-entry methods. Many of today’s attacks and threats are centered around obtaining passwords from someone. Industry efforts are under way to simplify users' access issues by having a single password that unlocks others -- that is a good benefit to users to make Internet access easier, but the security threat by depending on passwords for access stays.

The time has come for the industry to unify around a suite of standards to remove the use of passwords. There have been efforts in the past -- the Liberty Alliance, for example -- but industry adoption has never happened. Stronger authentication is the most important security issue remaining to be solved for both Internet and enterprise use.

I look forward to the day when I don't need to remember these things.

Recognized in the industry as the "inventor of SSL," Dr. Taher Elgamal led the SSL efforts at Netscape. He also wrote the SSL patent and promoted SSL as the Internet security standard within standard committees and the industry. Dr. Elgamal invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. In addition to serving on numerous corporate advisory boards, Dr. Elgamal is the Chief Security Officer at Axway, a global provider of multi-enterprise solutions and infrastructure. He holds a Ph.D. and M.S. in Computer Science from Stanford University. View more of his blog posts here.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-0658
Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.