All Dead?
Passwords have received a sizable black eye in the media lately. Perhaps rightly so. After all, passwords played a role in 3/4 of network intrusions in 2013.
Many infosec wonks have declared the password dead without even reaching for the defib.
So, are passwords really an irrevokably bad credential? Have they ceased to be? Are they an ex-credential?
No.
Not even a little bit.
We just need to think about using them differently.
Blaming a password for a compromise is like
blaming a monkey for a car crash
The negligence lies with the person who gave the monkey the keys. Sadly, the monkey gets all the blame from the media. Poor monkey.
By the way, negligence is a word that shows up in legal circles frequently because it implies a lack of responsibility, which makes me wonder how long it will be before some unsuspecting organization is found legally negligent for trusting passwords alone as an adequate access control.
We should all know better by now.
Mostly Dead?
The fact of the matter is that passwords are the most portable, inexpensive, easily-changed credential available. Their well-known vulnerabilities can be compensated for by adding a secondary credential to create Multifactor Authentication (MFA).
MFA solves many of the problems associated with passwords alone. Ultimately, both factors are unlikely to be compromised at the same time.
Think about ATMs:
Have you ever forgotten your PIN? Or lost a card?
Probably.
Have you ever lost your PIN and your card at the same time, to the same person?
Almost certainly not.
Using a knowledge-based credential (like a password) in conjunction with either a possession-based credential (like a key), or an inherence-based credential (like a fingerprint) can help prevent any one credential’s weaknesses from allowing a compromise.
In short: diversifying risks, increases the resilience of the system.
Partly Alive?
Remember, passwords are not inherently evil. They have some flaws, but they also have some very redeeming qualities, and will continue to be around for some time. Just remember to reinforce your passwords with a secondary credential (we have some suggestions if you’re interested).
Sadly, as far as we know, there are no MFA providers that allow a monkey as your secondary factor.
Progress can only get us so far.
–Andrew
Comments are closed.