Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/24/2013
12:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Campaign Launched To Kill Off The Password

The Petition Against Passwords calls for no more password login

"We want to type and remember fewer passwords. We want a secure and convenient alternative."

That's the mantra of a new consumer campaign kicked off today that aims to spread the word about the failure of today's password authentication model and calls for a simpler and safer alternative. The so-called Petition Against Passwords campaign is aimed at raising consumer awareness of the issues of an outdated and vulnerable authentication model and to promote ongoing initiatives for next-generation authentication options.

Brennen Byrne, CEO and co-founder of Clef, the authentication vendor that conceived the Petition campaign, says it's all about educating consumers about the password problem and giving them a voice for their frustrations with hacked passwords and the struggle to remember dozens or more passwords for all of their apps and online accounts. "If we can get the conversation started and the pain identified and amplified a little bit, that's a really huge win," Byrne says. "Passwords are a problem all day, every day."

With a constant barrage of online password breaches against organizations of all size, including big names like LinkedIn, LivingSocial, EverNote, and Twitter, advocates of nixing the password model are starting to apply pressure for change. Meanwhile, users are advised to create strong, hard-to-guess passwords -- which are also often nearly impossible to remember.

Many users know they're "doing it wrong" by reusing passwords or writing them down on paper to help them remember. "Even people with the best and most secure habits say, 'I know I should be doing better, but I can only do so much. I'm human,'" Byrne says. "A lot of people are feeling this pain. What we wanted to do was give them a voice to those emotions."

At the heart of the campaign is an online petition that anyone can sign, asking for an authentication option that doesn't require a password. "We advocate user authentication that doesn't require us to remember anything ... It should be easy to log in to every site we use now and to register at every new site we want to add. We refuse to rely on our memories for security, and instead insist on standards that make it easy to stay safe and keep our data private," the petition reads, in part. "It's time for our favorite sites to offer a better way to log in. The movement toward easier, stronger, private authentication starts with us, now. My signature demands that sites give me the option to login without a password."

The campaign, which is currently backed by Clef, LaunchKey, Pixelpin, TechFreedom, and Supervisor Malia Cohen of San Francisco, recommends alternative, next-generation authentication technologies, including Clef, the FIDO Alliance, LaunchKey, Mozilla Persona, OneID, Rublon, and Yubico. The Petition campaign's website will also include whitepapers and other educational resources.

"The companies behind it are really just helping promote it and advocate for solutions" for the customer, Byrne says.

New alliance gaining momentum in push to develop open architecture for authentication interoperability. See Giving FIDO A Longer Leash To Eliminate Web Passwords.]

But the petition isn't the only game in town when it comes to replacing passwords. The Fast IDentity Online (FIDO) Alliance has proposed a new open authentication protocol that would provide users and devices a standard way to identify themselves, regardless of the authentication tools used to log on. FIDO is led by PayPal, Lenovo, Infineon Technologies, and Nok Nok Labs.

"In some respects it's [The Petition Against Passwords] similar to the Fido Alliance -- of which we're also a sponsor member -- but with a larger focus on community engagement," says Geoff Sanders, co-founder and CEO of LaunchKey, a maker of multifactor authentication software that uses smartphones and other existing devices. "Being that LaunchKey has been solely focused on evolving user authentication and killing passwords since our start over a year ago, we felt the message the Petition Against Passwords is spreading is a message that's in the best interest of both end users and developers. Authentication is at the foundation of everything we do online, and the security and privacy of every individual is at stake. It's a cause worthy of support and discussion."

Ramesh Kesanupalli, founder and chief alliances officer of Nok Nok Labs, a member of the FIDO Alliance, says the alliance concurs that passwords need to be phased out. "The password problem has to be solved with open standards. Whatever mechanism we use has to be done in an easy to use starting point," he says. "FIDO is primarily trying to get to same point as what the petition is asking ... FIDO is about technology companies and bodies coming together to solve the problem for the consumer."

The campaign doesn't necessarily need to garner massive consumer attention, however, to be successful, says Chris Silva, a mobile analyst with the Altimeter Group. The key to making a universal shift away from the traditional password model is getting big-name online players, such as Google, Facebook, and Twitter, to ditch passwords for alternative authentication measures, he says.

"Consumers almost never need to see it or know about it. But if [this gets] connected with big-name social networks and online properties, and advances this idea to think about authentication," that will be a win, Silva says. "It's like the 'eat your veggies' talk. You have to have a strong password," but that doesn't mean consumers are following through on it.

"Unless Facebook, Twitter, [and other] companies are leading the charge, I don't see anything new getting the traction," he says.

Meanwhile, at least one politician is officially on board with The Petition Against Passwords Campaign. Cohen, who represents the Southeast sector of San Francisco, says the continued wave of username and password breaches is eroding public trust in digital identity protection today. "It's clear that usernames and passwords are no longer working. Consumers need to be better informed of those identity solutions that offer greater security and privacy protection," she says. "I encourage consumers to learn more about the petition, and to participate in the conversation on the need for greater digital identity protection."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tommtom
50%
50%
tommtom,
User Rank: Apprentice
7/26/2013 | 1:38:01 PM
re: Campaign Launched To Kill Off The Password
I'm up for anything that is easier and more secure than passwords, but it may be impossible to do both.
Daverk
50%
50%
Daverk,
User Rank: Apprentice
7/25/2013 | 6:47:34 PM
re: Campaign Launched To Kill Off The Password
Once it's easy to manage, not like a picture to complete which sometimes works
gnathan482
50%
50%
gnathan482,
User Rank: Apprentice
7/25/2013 | 5:17:02 PM
re: Campaign Launched To Kill Off The Password
It's about time!
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22675
PUBLISHED: 2021-05-07
The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, C...
CVE-2021-22679
PUBLISHED: 2021-05-07
The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK v...
CVE-2020-14009
PUBLISHED: 2021-05-07
Proofpoint Enterprise Protection (PPS/PoD) before 8.17.0 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. The vulnerability exists because messages with certain crafted and malformed multipar...
CVE-2021-21984
PUBLISHED: 2021-05-07
VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.
CVE-2021-26122
PUBLISHED: 2021-05-07
LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.