The end of passwords - for sure, but when?

My first blog post "How to create better passwords - why bother?!" back in December, 2005, tried to briefly summarize my thoughts and comments I've been making on the most commonly accepted way of identifying yourself - passwords.

Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.

What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?

Technorati tags :
security, microsoft, authentication, passwords Continue reading →

How to create better passwords - why bother?!

I have recently came across a practical article on how to create a better passwords, couresy of CSO Magazine. It reminded me of how many times I find myself actually getting into the science of passwords maintenance and creation in order to enforce real-life, cost-effective scenarios, while on the other hand, get myself seriously concerned on how easy it is to have your accounting data abused!

During the years I have written several articles, like this one - Creating and Maintaining Strong Passwords, mainly with the idea to actually provide a pragmatic approach on tackling weak, and prone to be cracked passwords. The result, at least from a sniffing point of view *grin* was that most of my friends lacking security knowledge, were indeed getting concerned by their easy to guess passwords. Later on, they were turning them into entire passphrases with the idea to avoid not having them cracked. That's an example of a "false feeling of security".

And while it was a progress compared to how predictable their passwords really were, strong passwords doesn't address the following issues that I later on covered in another article - Passwords - Common Attacks and Possible Solutions, namely, passwords can be :

- Sniffed
- Recovered
- Unintentionally shared
- Keylogged
- etc.

Recently, both from a CSO's point of view, and the financial industry, two factor authentication, has been gaining a lot of acceptance, in my opinion primary because of its tangibility. It greatly improves the authentication process, given the integrity of the system, and the network itself. And while from an organization's or bank's point of view providing tokens to the entire work force would represent a huge investment, I strongly feel prioritizing in respect to important customers, and executives will play an important role.

On October 12, 2005, the Federal Financial Institutions Examination Council, released its Guidance on Authentication in Internet Banking Environment, thereby enforcing the use of advanced, compared to passwords based only, authentication approaches.

Would it work? I doubt so, but it limits the age-old attacks we are so used to seeing in respect to passwords.

Bruce Schneier has been discussing the dangers of the two factor authenticaion buzz, and as far as online banking is concerned, Candid Wüest has written a very good paper on Today's threats to online banking, namely the techniques discussed fully apply to any type of authentication. Passwords are out of the topic, even two factor authentications has its good and bad sides to it comes to end users' awareness, implementation and configuration.

What are the practical alternatives these days?

Password Safe is a bit unpractical(still works for lots of people out there) in today's interconnected world, namely, a HDD crash for instance would cause a lot of trouble to everyone, let's not mention the "availability" of the data. Just1Key seems to solve this problem to a certain extend. I also recommend you verify the strenght of your passwords by taking advantage of the Password Strenght Meter ComputerWeekly, are also running an article "Security : have passwords had their day?", they sure haven't, at least not on a large scale, the way I've always wanted to see it - One Time Passwords in Everything! Check out RSA's One-Time Password Specifications , the concept in itself has the time frame advantage!

Further reading on the topic can be found at :

The Memorability and Security of Passwords - Some Empirical Results

Passwords you’ll never forget, but can’t recall

One Time Passwords In Everything (OPIE) : Experiences with Building and Using Stronger Authentication

Stealing passwords via browser refresh

A Convenient Method for Securely Managing Passwords

Technorati tags :

passwords,access control,authentication,information security,security,identification

Continue reading →