Endpoint //

Authentication

9/17/2014
07:25 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

7 Reasons To Love Passwords

Passwords are often ridiculed, but there are some reasons they should be your nearest and dearest authentication factor.
Previous
1 of 9
Next

7 Reasons to Love Passwords

Passwords get a lot of abuse. With every data breach come outcries for ever-stronger passwords or, better yet, no passwords at all. "Trash those combinations of letters, numbers, and special characters," they say, "and get yourself some biometrics and a hardware token."

Certainly the humans who use weak passwords deserve a modicum of ridicule or censure, but that doesn't mean that all passwords themselves are bad. As Corey Nachreiner wrote on Dark Reading yesterday: "Simply put, a password is a key. If you lose your house key through a hole in your pocket, do you blame the key when a burglar breaks into your house?"

Plus, there are certain things that passwords can do better than other forms of authentication. Here are seven reasons to love them above all others.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
phoenix522
50%
50%
phoenix522,
User Rank: Strategist
10/17/2014 | 2:42:37 PM
Re: Do-it-yourself Passwords are Private
Unfortunately, the landlord has a copy of those same keys. Unless your a home owner, someone has a key to your place and it is out of your control unless you violate the lease. That's just me knitpicking your example, I do fully agree with where you went with it though.

I don't like biometrics as a single source of authentication for those same reasons but I also know the human propencity for being lazy. As long as it takes any level of effort, people will have the same password for everything and it will most likely have to do with their favorite pet or something similar.

I really like the idea of enter your password and wait a couple minutes for a random pin to show up on your cell phone but I think that's overkill for the "Cat Lovers of the Northwest" discussion forums which is a whole other topic all together.
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
9/26/2014 | 10:22:45 AM
Re: static passwords offer little to no security no security against modern day harvesting techniques...
this whole post reads like an exceeding long password.
Sadie!
50%
50%
Sadie!,
User Rank: Apprentice
9/23/2014 | 3:32:58 PM
Re: Frustration
I hate the maximum number of characters limitation of passwords.  I'd make my passwords really long if they'd let me.
symphero
100%
0%
symphero,
User Rank: Apprentice
9/22/2014 | 1:07:20 PM
Do-it-yourself Passwords are Private
This was implied by your first point, but one of the greatest values in generating your own passwords is that they are truly yours alone, not given to you by others or even warehoused somewhere.  Would you want your door locks installed by local law enforcement officers, or would you give them copies of your keys?  No.  Do you trust them?  Probably, but they don't need your keys (based on least privilege as well as constitutional liberties).  If you have the tools, you don't even need to hire a locksmith.  The same is true with password security; even though it's a big responsibility, users need manage their credentials using self-generated passwords rather than surrender to an outside authority to provide credentials.

It's not just that someone in a place of influence might fraudulently use your credentials.  They may also have the ability to identify you as an individual through your use of credentials they have stored.  This is especially true with biometrics, and if they get widely established as a necessary part of authentication, the loss of privacy will be almost irreversable.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/22/2014 | 12:34:30 PM
Re: Love/Hate relationship
@Robert McDougal  Well I think that's a completely reasonable thing to wish for. It MIGHT happen in your lifetime. I'm thinking positive.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/22/2014 | 11:53:09 AM
Re: Love/Hate relationship
@Sara Peters I suppose I should clarify, My thought is that passwords should be eliminated as a single factor of authentication.  In a perfect world a password should only be a piece of the puzzle.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/22/2014 | 11:49:58 AM
Re: Love/Hate relationship
@Marilyn  Thanks Marilyn! I think my favorite photo is the one with the two men playing chess in the pool. It looks like that wasn't the first time they'd had that idea.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/22/2014 | 11:47:11 AM
Re: Love/Hate relationship
@Robert McDougal  As you say, " I am not sure that passwords will be completely replaced within my lifetime." I agree with you, but here's another question. Do you think they should be replaced, entirely?
cdeaton228
0%
100%
cdeaton228,
User Rank: Apprentice
9/20/2014 | 5:00:04 PM
static passwords offer little to no security no security against modern day harvesting techniques...
if we can't protect intellectual property, money, personally identifiable information, health information, credit cards/debit cards, etc., then we sure can expect anone to protect scans of our retinas, fingerprints, palm printers, voice prints, facial recognition patterns, dna patterns, etc.  passwords are basically nothing more than a false sense of security and bad people count on them to gain unauthroized access and to be able to move in and out of our electronic systems with ease and undetectable as they are essentially perfect imposters of legitimate authorized users.  the business and consumer cultures of convenience has deeply embedded ease of use by intention into every aspect of corporate and personal computing cultures. To encourage continued use of static passwords is to lead people and corporations into certain contininued victimization.  Technology vendors continue to embed static passwords into every system and product they produce. Again, this is leading to certain breaches in access and victimization. Change has to start somewhere and no better place than the people in their personal lives and in the workplaces they saturate every day.  I personally think that simple substitution methods generating dynamica one time codes are far superior than static codes/static passwords for user authentication controls. fairly new solutions from vendors like Syferlock and SwivelSecure offer human beings some very stong, single factor, token-less, server-side generated, dynamically changing at each loging attempt, humana triggered/executed login authentication for login portals/pages/sites over the internet from either trusted corporate devices or untrusted byod or home devices or public devices that are higly likely already compromised (the devices) with some type credential harvesting or ssl malware-in-the-middle content scanning malware/technology.  User simplicity and convenience and predictability are the things that bad people target and count on. Static passwords are one of those predictable easy to harvest/steal things. we need to be less predictable and we need to not reuse the same password twice when logging into anything.  I have experienced taking away static 8-characters complex passwords from tens of thousands of non-techncial users and replacing them with 5-digit simple one time codes (change every login attempt), single factor, server-side, tokenless authentiation to great success. this approach reduces the users keystrokes to gain access to VPN's, Citrix, Web portals, web apps, etc., by 65% to simply the normal login and increased security by defeating over a dozen common static password credential harvesting techniques. This leaves the bad people unable to imposter legitimate users because they couldn't replay any of the OTC's.  This technique allows us to avoid hard token authenticaiton devices and soft token authentication devices and voice biometrics and SMS codes. the key is to elinimate the static password entry altogether because the static password is still embedded on our servers and in our databases while slowely being replaced by true Single Sign On (SSO) PROTOCOL tokenization and key exchange (not widely adopted yet).  No end user devcie  should be trusted whether owned, deployed, managed and secured by your employer or personall owned and secured.  All end user devices should be assumed untrusted and assumed already compromised. therefore, anthing the users swipes, touches, types, clicks, speaks or gestures into their devices should be assumed intercepted and copied and known by bad people. this is not paranoia. this is the state of reality in the electronic real or cyberspace as we know it. The breaches every day demonstrate this with Target, CHS, Home Depot, etc. traditional Two-Factor and hard tokens and soft tokens and risk based authenticaiton with IP address geo-location and fingerprinting devices have not stopped or even slowed unauthorized access. decpetion of humana beings with social engineering and phishing techniques contine to be very very successful for the bad people. Good people are naive by spillig intimate details of their live onto/into social media sites and services where static passwords allow bad people to harvest not only the good people's static passwords (regaress of how clever and long/strong the passwords or how many passwords there may have) but harvest also enough intimate details for the bad people to be able to answer any security/identity/privacy questionas and answers (challenge/response) controls necessary to reset static passwords, register on new websites, steal identities, etc. across the board.  We have to reverse some of the ease of use and convenience electronic death trap we have set ourselves up for.  We need more innovative can-do thinkers in security and privacy world that see the glass half full and can see new apporaches to tired old problems. we are not winning the access control world. creating one hundred unigue passwords long that is compromsed of very long stringes of complex characters (e.g. letters, numbers, special characters, case sensitive, phrases, etc.) and trying to change those frequently, remember them without writing them down and so on, does not defeat the dozens of credential harvesting techniques that steal a long complex passphrase with the same simple compute effort (tiny compute cost) that they can steal/harvest a short simple one for future playback.  My answer, stop using static passwords/passcodes/passphrases/etc., to login to web sties, web portals, vpn's, citrix sites, etc. Use OTC's from a substituion approch that never requies the end user to reveal through touch, swipe, click, key enter, etc. the secrets behind the substituion method. this can greatly increaset the compute cost of the bad gus to try and back into the secrets needed to defeat the substituion algorithm. there is some practical and powerful crypto strength and security entropy behind this approach. the good news is that this substitution approach is simpler on end users with shorter codes than current static passwords and their hidden secrets don't ever need to revealed in authentication process and they don't need to be changed unless the users desire to. SyferLock is just one technology company that I have had great success with for tens of thousands of non-technical users of all ages, genders and demongraphics. I agree with several of the points of this article about static passwords over biometris and tokens. Biometrics and tokens come with too many downsides for pracical use and if they are compromised, and they most certainly will be, then we can't change our dna and biometric markers like we can static passwords or better yet, one time code secrets and substituion algorithms. I think business people have use hostage to static passwords under the banner that we are all too dumb to try anything else because we are so dumb that any inconvenience will cause us to stop being productive and fill up their help desks with support calls and cost them too much money to change our bad risky behaviors. Humana beings are the top the intellectual/intelligence life form hierarchy. this is undeniable in all history. Let's get the facts and information on the table as security and break free of victim or hostage mentality and point the way to a cheaper, better, simpler, safer, faster way to login and authenticate to things over the internet. i hate passwords for very legitimate rationale logical reasons. they are what bad people use to gain unauthorized access to our personal and professional lives! my discontent with them has driven my focus to find a better alternative. nothing is perfect and neither are substituion methods.  However, it takes a lot of effort and cost for bad people ot defeat them especially where compared to static credentials.  bad people are business people before they are anything else. they can't afford to spend too much on one thing when there are a lot of things much easier to victimize. The story of fast and slow gazelles being chased by lions seems to come to mind right now for some reason.  for those who continue to rely on the fasle sense of security of static passwords/passphrases/passcodes/etc., good luck!  Everyone else will do well to be the gazelle   who is a little bit faster and different than the rest of the herb.  In cyberspace, the predators have no geographic territory boundaries and they never sleep nor ever grow weary and their appetite is never saturated and they can wipe out even the largest herds in one moment of time. they are not like biological predators at all where the biological predators are replete with limitations that allows the vast majority of the herd to always escape. passwords are simply not safe and are easy to harvest and replay in imposter access activites that are virtualy undetectable by today's security technologies. Go forward informed with eyes wide open and avoid saying to yourself that static credentials/passwords are the only choice my employer and cloud provider and web site/portal publishers are offering me so what else can i do?  what else indeed!  if it isn't to start with me and you and the information protection/security industry, then who will start and drive forward this user authentication revolution? This is a consumers world especially in the informaiton age and then internet of things. if it doesn't exist then demand it or invent/create it.  Thanks for the stimulating article and most relevant topic on passwords.  Be agile users with stick and move tactics and embrace change and quick change and chage again and again to keep the enemy guessing and no matter what, don't be predictable.  Chuck.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/18/2014 | 2:59:01 PM
Re: Love/Hate relationship
Might as well love them, because regardless of how we feel they will be around for a long time.  I am not sure that passwords will be completely replaced within my lifetime.
Page 1 / 2   >   >>
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11489
PUBLISHED: 2018-05-26
The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain CrntCode array index is not checked. This will lead to a denial of service or possibly unspecified other impact.
CVE-2018-11490
PUBLISHED: 2018-05-26
The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain "Private->RunningCode - 2" array index is not checked. This will lead to a denial of service or possibly unspe...
CVE-2018-11493
PUBLISHED: 2018-05-26
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a friendship link via index.php?m=link&f=index&v=add.
CVE-2018-11487
PUBLISHED: 2018-05-26
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.
CVE-2018-11471
PUBLISHED: 2018-05-25
Cockpit 0.5.5 has XSS via a collection, form, or region.