The media has proclaimed the password is dead and that a new solution is a must. Jack Wallen explains why he doesn't think we're even close to ready for such a change.
The idea that passwords are over, and the collective "we" must move on to a more secure and reliable solution has been hammered home this year. Password-driven security has failed us time and again, yet the thinking that we must immediately move on from passwords is not practical.
How dare I, a pundit in an industry that thrives on saber rattling prognostications and proclamations, make that statement! It's simple: We aren't even close to being ready to migrate away from password-as-security. How can I say such a thing? Two words: end users. Before anyone balks at that, let me explain.
SEE: Worried about identity theft? Then you should avoid these password pitfalls (TechRepublic)
First and foremost, end users are very slow to change. They've been using the password to secure their computers and data for decades. It's how we work--it's how we're wired. We need to protect something, so we place it behind a password- or combination-protected "wall." We lock our belongings away in a house, protected by a simple key mechanism, that can be overcome with a set of picks you can purchase from Amazon.
Second, the average end user tilts toward very simplistic windmills. Complication makes things a challenge and very few users want to face down a challenge every time they have to access their data. Simplicity is why passwords work, and it's also why passwords have failed.
No matter how hard we push, users always trend toward the easy (and weak) password. According to SplashData, the most used passwords of 2015 were:
That's a list certain to make any admin cringe and wonder why even more data hasn't been taken from servers and desktops. The truth of the matter is simple: People choose passwords like 123456 because they do not want to add complexity to their lives.
And yet, we writers of the tech fantastic think dropping passwords is a viable option, but in favor of what? Biometrics? That would require the widespread purchase of new hardware. SSL encryption keys? Ask the average user what an encryption key is and see how many different answers you get.
Michael Daniel, POTUS' cybersecurity coordinator, said in 2015, "Kill the password dead as a primary security measure." Mr. Daniel suggested biometrics as the replacement for passwords.
I get that sentiment--the password, as typically handled by the end user, has failed us. But it's not so much the idea of the password, but its implementation.
Why is 123456 an option?
I would like to ask every systems and network engineer on the planet one question: Why is 123456 a password option?
For that matter, why are we allowing anything remotely resembling the top 25 passwords to be viable? Every computer system on the planet should have strong password requirements. Every. Single. One.
I've stepped into situations where the root password of a server on a major network was protected by password123. The first thing I did was change the password to something neither myself, nor any other employee, could memorize. That combination of alphanumeric and special characters was then retained in a password vault protected by a very challenging password (though one that I could memorize), on a machine that wasn't connected to the same network.
So, the fault doesn't lie entirely in the lap of the end user. Weak passwords are rampant, and it is one of the main reasons why this system has failed us over and over again.
What is the solution?
System administrators can enforce the use of strong passwords by "training" end users to understand that strong passwords are not an option, but a requirement.
- Passwords need to be strong.
- Passwords need to frequently change.
- Passwords need to be taken seriously.
SEE: Password Management Policy (Tech Pro Research)
Apple and Google should force users to not only set up their mobile device lock screens, but the systems should only accept strong passwords. Then, Microsoft should require anyone using Windows 10 or Office 365 to use a strong password for their accounts. The end user will become accustomed to the idea that a password isn't an afterthought, but a serious means of protecting their precious data.
Keep on dreaming
We can and should keep on dreaming of brilliant new technologies that will serve to protect our data. Someday society will reach the point where the simplistic password approach is no longer a means to secure data.
As hackers get more agile and able, we are seeing more data stolen and will need that improved solution ready to go. When that day comes, let's hope that end users are ready to make the change and make it fast. Until then, administrators and programmers have to deny the likes of 123456 as viable passwords on every conceivable level.
Period. End. Of. Story.
- Is it time to replace passwords with passthoughts? (TechRepublic)
- Firms that force you to change your password are clueless says cyber security chief (TechRepublic)
- Using XaaS for your business? Then you need one of these multifactor authentication apps (TechRepublic)
- How to add more entropy to improve cryptographic randomness on Linux (TechRepublic)
- 1Password: The smart person's guide (TechRepublic)
- Five password management apps that will work on all your devices (TechRepublic)
- Changing your password regularly is a terrible idea, and here's why (ZDNet)
- The guide to password security (and why you should care) (CNET)