Why are we still using passwords?
I can’t believe that in 2009, we still primarily rely on usernames and passwords for authentication and access controls.
Ten years ago, I would have bet you money that by now we would have at least shifted to hardware tokens with cryptographic log-ons for the web and computer systems in general. Even biometric identification, which has been in use for security access at some places for 15 years, looked to be promising five years ago. Remember the flood of fingerprint reading laptops and personal digital assistants that appears around then? Most corporate networks today at least use some combination of cipher log-on, smart card tokens, or unique time code systems. The federal government has also almost universally implemented enhanced computer access protocols. In the non-corporate, non-federal sectors, though, usernames and passwords still rule today as they did in the 1960s. There are simply far too many exploits to this system to make it truly viable any longer.
The dangers of reliance on username/password for security was highlighted today by the following story picked up by Google News:
Infoweek.com: Google Offers Advice On Strong Passwords
"Google (NSDQ: GOOG) consumer operations associate Michael Santerre advises using unique passwords for every Web site. He suggests selecting a phrase and using the first letter of every word in the phrase or some variation of that as a password, ideally with special characters added in to make it more secure.
Santerre stresses that passwords should be a mixture of letters, numbers, and symbols to minimize the risk of dictionary attacks, by which cybercriminals use programs to try every word in a dictionary database as a potential password."
The actual Google statements that fed the story that was picked up are here:
Google’s Gmail Blog: Choosing Smart Passwords
"As part of National Cyber Security Awareness Month, we’d like to take this opportunity to remind you about smart password practices. Help ensure you’re protecting your computer, website, and personal information by checking out our security series on the Google blog or visiting http://www.staysafeonline.org."
I, for one, am ready to see username and password log-ons become relics of the past just as serial ports and CRTs have become. I would even be willing to pay to obtain a true hardware token to enable a stiffer standard. I can continue to wish for an effective, universal, secure biometrics-based system to replace them all.
What does your organization do for logon enhancement? Are you still using only usernames and passwords? Do you enforce the standards for strong passwords that Google recommends? What do you think the most promising future access control systems are? Please share.
This book recommendation is my Information Technology Thought of the Day for October 9, 2009.
Image Credit: University of California at Santa Cruz
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
I agree with you Scott in that I would have thought we be using two-factor authentication by now.
I’m not sure that I would think so going forward though. With attacks focusing on the client that are coming from legitimate websites, it doesn’t matter how many factors of authentication we have. That said, one purpose of these attacks is to get passwords and requiring a token or biometric reader would make it more difficult for the bad guys to use stolen passwords.