Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

12/10/2013
11:06 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
100%
0%

2013: Rest In Peace, Passwords

In the future, we will look back on 2013 as the year two-factor authentication killed passwords.

To my way of thinking, 2013 is the TFA year. No, I don't mean "too freaking awesome," though some day we may see it that way. I do think that we'll look back on 2013 as the year of two-factor authentication -- or maybe the year passwords died. No, that's probably too much to hope for. But multi-factor authentication (of which two-factor is a special case) certainly seems to be finally taking hold.

Two of the big three destination websites (Google and Twitter) have introduced optional two-factor authentication. The third (Facebook) has introduced an optional and occasional form of TFA called "login approvals." With this system, you need to use a second factor -- an SMS message -- whenever you access the site from a new platform (PC or mobile device). Once you've logged in from the new platform and registered it, there's no need to do anything except enter your password on subsequent visits from that platform.

More people are urging Facebook to follow Google and Twitter and enable TFA with every login. Additionally, services such as Dropbox, WordPress, and Amazon Web Services offer optional two-factor authentication. The reason people are clamoring for this is quite simple. Just look at the headlines:

That would scare most people, but the headline that scared me was in USA Today last week: Four tips for creating stronger passwords. People, there are no stronger passwords. There's weak, weaker, and weakest. There are no passwords that a human can remember that will keep a determined miscreant (or government service) from cracking your account. None.

The TFA solution vendor Authentify surveyed 428 security pros at financial services, corporate information security, and health insurance providers. In that survey, 41% of respondents said they favored implementing a second authentication factor to strengthen login processes using passwords.

Why not eliminate passwords? According to a whopping 72.5% of Authentify respondents, passwords would continue to be used in their respective worlds. Most of us have given up trying to eliminate passwords. In February 2004, Bill Gates said, "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure." Well, we know how prescient he was.

The solution to the all-passwords-are-weak problem is for additional authentication methods to be used alongside the password. Biometrics (fingerprints, retina scans, vein readers, heart monitors, etc.) are an option -- one that I favor but has strong opposition in the marketplace. Tokens -- both hardware (like the RSA SecureID) and software (such as those provided by the SPML protocol) -- are currently the favored second factor. The Google, Facebook, and Twitter systems rely on software tokens delivered out of band (via a cellular network rather than the broadband network) helping to drive acceptance of that factor.

Apple introduced a fingerprint reader with the iPhone 5S. Samsung is reported to be working on an iris scanner for its upcoming phones. Both are steps to a workable, acceptable biometric second-factor solution. There are even rumors that Google will soon require two-factor authentication for many, if not all, of its services.

Maybe in the years to come, we will look back on 2013 as the year our accounts finally became secure. That certainly would be too freaking awesome, wouldn't it?

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Kristin Burnham
100%
0%
Kristin Burnham,
User Rank: Apprentice
12/10/2013 | 11:18:15 AM
A welcome change
I welcome this with open arms. Managing passwords has become exhausting and frustrating. I can never remember which variation of which password I've used for which site, and resetting a password every time makes it that much more confusing. It's time for a better solution.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
12/10/2013 | 12:44:17 PM
Re: A welcome change
I second that, Kristen. But, alas, it seems that passwords will be with us for some time still. Hopefully, TFA and biometrics will hurry things along. I sure hope so. I am running out of room on my screen for all my sticky notes. 
anon314159265358
100%
0%
anon314159265358,
User Rank: Apprentice
12/10/2013 | 1:05:12 PM
Re: A welcome change
Kristin,


I too have had issues remembering passwords for websites.  I've found the only way to get really good, unique passwords for each site is to use a password manager like LastPass or KeePass.  LastPass is a commercial product, and tends to have more features and updates, while KeePass is open source.  LastPass keeps your passwords in the cloud, KeePass allows you to keep your own encrypted password file.

One of my pet peeves is websites which require you to set a password without telling you what the restrictions are.  So, I come up with this 48-character password, only to find out the password is limited to 16 characters (yes, that's you, Microsoft Outlook.com.), or that it only allows certain special characters, or something else.  Just tell me up front what you expect.  Is that really so hard?
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
12/10/2013 | 1:52:22 PM
Re: A welcome change
I've never checked out password managers -- I'll have to look at those two suggestions. Thanks for the recommendations!
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
12/10/2013 | 4:27:24 PM
Re: A welcome change
I'd expect third-party password management apps to give way to something like KeyChain from Apple.
anon314159265358
50%
50%
anon314159265358,
User Rank: Apprentice
12/10/2013 | 1:00:07 PM
Passwords, or Multi-Factor?
Passwords will may disappear to a large extent at some point.  What to replace it with?  I like some sort of multi-factor system, e.g., a password, a generated token (app, text, voice), and a biometric (fingerprint, double-iris scan).  You might be able to fake two, but all three is much harder.  The more sensitive the site, the more factors should be required.


There are a couple of things that are being done now.  The Department of Defense has a Common Access Card (CAC), which requires a 4-8 digit PIN to authenticate.  If the PIN is entered wrong three times, the card is useless until it is unlocked by a CAC representative.


Something similar is available now from the Free Software Foundation Europe (FSFE, https://fsfe.org/fellowship/card.en.html).  They issue smart cards to each of their members.  Yes, you can get smart cards cheaper elsewhere, but they come with a pre-assigned key, and you can add your own.  Nicely, they are also printed with your name, so if it is lost, it can (maybe) get back to you.  It also has  PIN, which can be used to lock (or erase) the card if entered incorrectly too many times.


Passwords as the only authentication method?  Nope.  Passwords supported by multi-factor authentication?  Yes.
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Apprentice
12/10/2013 | 1:47:35 PM
a password alone will not stand
Looks like a password in tandem with a biometric component or a token will be the new normal. Hopefully soon. It's become clear that a password alone, even a "strong" one, is not enough to secure you. I'm embarrassed to say I still have all my various passwords written on a piece of paper tucked in a book. Time to look into a password manager.
jasonscott
100%
0%
jasonscott,
User Rank: Apprentice
12/11/2013 | 1:24:02 PM
Re: a password alone will not stand
First, I don't believe that there's anything inherently wrong with passwords -- they're a good first step at securing things. But, like anything, they aren't perfect.


Adding biometrics or a token as a second factor makes it exponentially harder -- if not impossible -- for some ne'er-do-well to access your stuff.


As for the old practice of writing passwords down ... it's obviously less than ideal. But there is a way to make it safer: when I have to do that, I write only part of the password -- enough to remind me, but not enough to get someone in. Maybe the first and last letters, like M...y (for Mickey), or maybe the initials, if it's a phrase, like T.p.I.j.t.I (This password Is just too Insecure). You get the idea. That way, even if the paper is seen, no one knows the password. I actually go a step farther: I do the same for the system that they're used for -- just some kind of unidentifiable abbreviation. It's not tricky nor foolproof, but I'm not simply giving away access if someone discovers my cheat sheet.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 8:01:54 AM
Re: a password alone will not stand
@jasonscott, Those are great suggestions for my post-it note reminder list(ugh!). But why not have two factor authentication with the second factor something besides a password e.g. SMS text + biometric?
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
12/10/2013 | 4:43:48 PM
I'm starting a death-of-password list
I will start a list of predictors of the death of the password, with Dave Kearns at the top. Let's see if this list gets as long as the list of those who predicted the death of the mainframe. We better dig in for a long stint of list compilation.

 
dak3
50%
50%
dak3,
User Rank: Moderator
12/10/2013 | 5:00:59 PM
Re: I'm starting a death-of-password list
Not me! It will Bill Gates almost 10 years ago who predicted the death of the password. I think they'll never day, just hopefully become irrelevant.

 

By the waym I do suggest everyone look into KeePass...
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
12/10/2013 | 5:46:03 PM
Re: I'm starting a death-of-password list
I could live with passwords becoming irrelevant. 

As for password managers, it's time for a true confession. I tried one once and then I forgot my password. But Dave, on your recommendation, I'll give KeePass a try. :-)
dak3
50%
50%
dak3,
User Rank: Moderator
12/10/2013 | 5:54:59 PM
Re: I'm starting a death-of-password list
For the one password you do need to remember, make it a phrase or a line from a song but substitute a number or symbol or two for letters:

 

W1nter W0nderland

 

for example

 

-dave
Susan Fogarty
100%
0%
Susan Fogarty,
User Rank: Apprentice
12/10/2013 | 9:20:26 PM
Log out
Another dangerous thing people do, especially on the iPhone, is to remain logged into all their applications all the time. Many websites or apps that handle sensitive data will log you out after a specified time, but you'll stay logged in to Facebook, Gmail, LinkedIn, etc. indefinitely. If you lose you smartphone and all of those are accessible, it doesn't matter if the passwords you set up were good.
mak63
50%
50%
mak63,
User Rank: Apprentice
12/15/2013 | 8:17:56 PM
I hope the author is right.
Even though I've been using -for years- a very good password manager (RoboForm), I agree, old fashion passwords have to go. I personally like some sort of biometrics security. Fingerprint reader (Apple)  is good. Iris scanner (Samsung) seems to be more practical. I like the most voice recognition along with some sort of short pin. Star Trek Voyager fan here
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
12/26/2013 | 10:52:23 AM
Agree.. but
Passwords aren't that bad.  It is the people and process surrounding them that is the real concern.  There have been many good suggestions for passphrases and letter/number substitutions and more.  Some of us have been doing that for a decade.  I find resistance to two tier authentication in most instances because people find it too intrusive.  Google, Twitter and others maybe have the ability for users to engage in a higher level of security, but I have not seen any statistics that indicate it's getting significant use.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.