The Imminent Death Of The Password, Fact Or Fiction?

By   ISBuzz Team
Writer , Information Security Buzz | May 08, 2014 01:16 am PST

Keeping our sensitive and personal information safe from unwanted eyes is not a modern concept, it is a behavior that we have been demonstrating for centuries, and for as long as we have been trying to do this we have been using ‘passwords’ in its basic sense.

From as early as 700 BC the Spartan military used encrypted scytales to send sensitive missives during war, fast forward to the twentieth century and Nazi Germany were using enigma machines to code communication. The first computer password is thought to have been developed in 1961 at the Massachusetts Institute of Technology, when most people had never even seen a computer.

Despite the historical use of the trusty passwords, its downfall has been predicted for some time now. In fact, the death of the password has been in discussion for over a decade now. In 2004, Microsoft Chairman Bill Gates predicted the death of passwords and following on from this in 2006, claimed that the end to passwords was at sight.

What is our problem with passwords?

Key arguments for password alternatives relate to better security and convenience – with the proliferation of online applications, passwords now occupy so many aspects of our lives. Remembering a dozen passwords is impossible, storing passwords invites trouble, and managing them manually is a pain.

With high profile security breaches involving stolen identities; attacks on financial institutions, among others, it’s no wonder talk of password replacement captures interest. These security breaches also invite discussions on password replacement and raises the key question: do we have viable alternatives if the password death knell is sounded?

The replacements

Biometric authentication, iris authentication, facial authentication, various forms of multi-factor authentications, and even authentication through devices like watches, jewellery, and electronic tattoos are all being discussed. Touch ID became reality to consumer devices when unveiled as a key feature on the iPhone 5s.

Worryingly, some of these alternative authentication methods have been cracked already even before they could be adopted widely.  A few years ago, a group of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.

So while we still may get a viable replacement for traditional passwords in the future, in reality, the predictions largely haven’t yet materialised. Passwords are still the most prominent method of authentication to date, and this is largely due to the viability of alternate approaches, which are mostly expensive, require additional hardware components, are difficult to integrate within the existing environment, or are not easy to use.

If passwords aren’t the problem, then what is?

In the constant and public mudslinging against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere. They store passwords in text files and post-it notes; share credentials among the team members; and pass them over emails or by word of mouth. Passwords of enterprise IT resources are often stored in spreadsheets, text files, home grown tools, or even in physical vaults. Passwords are further compromised in IT divisions that deal with thousands of privileged passwords, which are used in a ‘shared’ environment. Real access controls do not exist and passwords of sensitive resources and applications remain unchanged for long periods of time. Poor password management practices like these invite security issues and other problems.

Cybercriminals use a raft of techniques, and their attack patterns continue to evolve, one of which is siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers and Remote Access Trojans (RAT). Once the login credential of an employee or an administrative password of a sensitive IT resource is compromised, the institution is vulnerable. The criminal can initiate unauthorised wire transfers, view the transactions of customers, download customer information and/or carry out sabotage.

A word of caution – hackers don’t always come from the outside. Of important consideration is the emerging threat of insider sabotage – caused by disgruntled staff, sacked employees, or entrepreneurial ‘opportunists’. Anyone who has access to privileged passwords – the ‘keys to the kingdom’ – is in a position to misuse them, whether intentionally or unintentionally.

So what’s the answer?

Bolstering internal controls holds special significance in light of the recent attack trends. Access to IT resources should be strictly based on job roles and responsibilities, supplemented with clear-cut trails that reveal ‘who’ accessed ‘what’ and ‘when.’ Likewise, password sharing should be regulated, and a well-established workflow should be in place for release of passwords of sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.

Most important is staying alert. Too many security incidents occur as a result of lax internal controls — and while passwords often get the brunt of the abuse, it’s really poor password management that’s the culprit.

By V Balasubramanian, Marketing Manager (IT Security Solutions), ManageEngine

ManageEngine simplifies IT management with affordable software that offers the ease of use SMBs need and the powerful features the largest enterprises demand. More than 90,000 companies around the world – including three of every five Fortune 500 companies – trust our products to manage their networks and data centers, business applications, and IT services and security. Another 300,000-plus admins optimize their IT using the free editions of ManageEngine products.