Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/25/2019
10:00 AM
Chris Roberts
Chris Roberts
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Future of Account Security: A World Without Passwords?

First step: Convince machines that we are who we say we are with expanded biometrics, including behaviors, locations, and other information that makes "us" us.

Passwords
Passcodes
Passphrases
No Passwords
Two factors
Three factors
Biometrics
Facial (smack head against phone…)
Prove you exist
Prove it's you that's proving you exist …

... at which point most people will have thrown the device away, gone back to their notepad or Post-it note, and dug out the old password from years back that still gets them into everything under the sun, which, let's face it, is probably root/calvin, root/toor, admin/letmein, or something akin to these.

We're all creatures of habit. We look for simplicity and ease of use because we're inundated on an hourly basis by applications, systems, phones, cars, fridges, and even the toaster asking us to identify ourselves before we get any meaningful service or a warmed-up waffle.

And herein lies the problem: A long time ago, someone, somewhere, in a mainframe (probably in another galaxy) decided that we needed to associate each human with an account, unique to them, and then protect it (little did they know) with a code that only that one human would ever be able to use or remember.

There's short sighted and then there's not being able to see to the end of your nose. The password flaw is something that it's inventor, recently-deceased Fernando Corbató, was keen to point out. This is, let's face it, on par with the Y2K flaw but without the immediate consequences. We keep living with the issue; heck, we have a World Password Day (first Thursday in May) when we actually celebrate that we can't fix something that's arguably been the bane of our existence since the '60s! The password is to us like the common cold is to healthcare.

The challenge is one of balance. We need/want safety and security, but we like privacy (that is debatable, I know). We also want usability (as shown by all the blinky stuff we keep buying in the hopes of an easier life). Unfortunately, these three forces are acting upon ALL the various options out there vying for supremacy on the password battlefield, and, presently, no one has really come up with something that would keep all parties happy. Remember, our audience is everyone from the NSA/Mossad folks securing their systems to my mother and her computer login to Tesco supermarkets for home crockery delivery. Whatever we come up with must solve this entire spectrum of users.

Some progress has been made in the realm of passwordless solutions, some of which do a fantastic job of uniquely managing credentials in a manner that allows for seamless transactions across multiple platforms. Others can take existing credential techniques and mask them behind a much more collaborative, intuitive, and manageable front end, creating vaults that actually do work, and solutions that tie together all the myriad technologies out there. But, in the end, what they are doing is helping to navigate the mess that is underlying a well-built 1960s veneer: a set of credentials assigned to us, by us, for us, or for our use still has to be part of an access solution. Only now, instead of one mainframe, we have 1,001 apps, systems, websites, programs, ERP systems, etc., all clamoring to understand who we are and whether we should be allowed in.

So, what are we to do? What are our options, and where will we 5-10 years from now? Will we still be fending off "Summer2019!" as the default corporate password, or will we have finally put the '60s to rest and moved on?

In the short term, we have to convince the machines that we are who we say we are, so let's take biometrics and expand it to include behaviors, locations, and other information that makes "us" who we are to the outside world.

Long term, take that concept of "us" and who we appear to be and start to look at our very existence, our experiences, our lives, and our memories. I'm talking about taking neural information, directly from the gray matter between our ears that would demonstrate that we know the location, the bank, the account, the office, the card, and, if we're smart about it, we correlate that with the device itself knowing "us." Therefore, our very existence and interactions become our key. Essentially, we don't have to prove who we are — we just have to be ourselves.

Will that solve all the password problems we collectively grapple with daily? Probably not, but it should at least eradicate 123456 or the more complex version of adding 789.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Playing Around' with Code Keeps Security, DevOps Skills Sharp"

Chris is one of the world's foremost experts on counter threat intelligence and vulnerability research within the information security industry. He has led or been involved in information security assessments and engagements for the better part of 20 years and is credentialed ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Hackerproof Tech
50%
50%
Hackerproof Tech,
User Rank: Apprentice
10/3/2019 | 2:11:39 PM
Re: What am I missing?
tdsam,

My fundamental belief is that passwords are not an appropriate tool for securing remote access. The issue is not so much as passwords in as much as they can be replaces by biometrics, which has a place, but is not a generic wholesale replacement. It is the entire system of matching static tokens where one static token - bio, nmemonic, poto, password etc. but the fact is that the flaw is not just that they are stored on a server which may be subject to compromise, but that thay can be spoofed a rogue agent.

The need is not for a better password system but method to eliminate matching tokens completely. Regardless of how complicated you make a password system it remains with two very large vulnerabilities. making it more complex makes it more difficult.

 

 
tdsan
100%
0%
tdsan,
User Rank: Ninja
9/30/2019 | 2:26:23 PM
Re: What am I missing?
I agree with you Mr. Tech, lol. This is very generic. There is a company called Beyond-Trust or Cyber-Ark who is doing a pretty good job at securing the environment. The only problem with these technologies, if you set it up in an Active/Passive (A/P) configuration where the primary site gets disconnected, the the other locations won't be able to login and because their passwords are so secure or up to 127 character passwords after you sign in.  The keys will not allow the user to change it from A/P to A/A (Active/Active), so I do think there is a design flaw but they should see it after they get a number complaints.

Now, if the user added BeyondTrust to the cloud, connnected sites to this while at the same creating a Active/Active environment, then I would say yes, this works pretty well as long as the sites have domain controllers on the external sites and they create a trust infrastructure that is not soley dependent on the other.

 

I do think the solutions they have on the market work pretty well, but I don't think they have thought through the contingency planning if something happened to their solution from a corruption standpoint when the software updates itself. But they are moving in the right direction, but this solution is for major institutions who have large amounts of money, from a vendor perspective, it seems we need to take into consideration of the "mom & pop" stores that were mentioned, they may need to wear something around their neck to help them remember or utilize TOTP protocol as a MFA solution, not sure how to handle this, this will take time or alot of hand holding.

T

 
Hackerproof Tech
50%
50%
Hackerproof Tech,
User Rank: Apprentice
9/26/2019 | 1:25:06 PM
What am I missing?
Interesting read, but doesn't pose any new information.

It seems to say, 'we need a better method of identity and authentication than passwords'.

I think that is obvious. Two step and two factor are a PITA, and it's the best you can do.

To assign credit for the invention of the password to Fernando Corbató can only be done by someone who has not seen a WW2 movie.

In fact passwords go back to before the Roman Empire. "Who goes there?" - "I am Spartacus" - "What is the password?" - "Hail Ceasar." - "Enter"

So what am I missing? Or did I get it right?

 

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/25/2019 | 10:49:31 AM
For what it is worth
Two factor at least does some protect and have it aligned with background authority data would be great.  Some sites use excellent qualifications such as Social Security.  Try that one, it asks for loan data for about 10 years on stuff you probably forgot about.  It's damn hard to crack it.  You had a college loan in 2004 - who carried it?  And given that loans are often sold between banks, that can be a killer to get right.  Two factor would help but this is a fine example of multi-data sourcing fo authentication.  
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.