<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

It’s time to kill the password

Published on
6,147 Points
2,747 Views
4 Endorsements
Last Modified:
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Over the past few years, there has been an ongoing never-ending deluge of data dumps. Though I’ve never had a business email address compromised, my favorite Gmail account joined the inner sanctum of ‘”;–have i been pwned?” in late 2013. This hack was courtesy of the huge Adobe data breach that slapped down 153 million pwned accounts, consisting of internal IDs, usernames email addresses, encrypted passwords (not properly hashed and salted), and plain text password hints.

Four months later, in February 2014 the same Gmail address was compromised again at the Forbes website when hactivists from the Syrian Electronic Army compromised a Forbes WordPress admin account. The attack garnered usernames, email addresses, passwords, and user website URLs.

Your ISP is not immune from hackers either. In January, Time Warner Cable (TWC) suffered a data breach that may have affected up to 320,000 customers' email addresses and passwords. TalkTalk, a UK Internet service provider was hacked three times in 2015 alone. The last hack nabbed 1.2 million email addresses.

The Linux Mint hack from last month netted another data dump that included email addresses, encrypted passwords, and personal information; ;shortly thereafter, the entire database was available on the Darknet for 0.1949 BTC ($85 USD).

I think that most of us can agree that the average Joe has minimal control over database security when registering an account at these sites. When we fill out registration information, create a password, populate our profile, and engage on these websites, security always sits on the chopping block. Aside from a few clues included in site policies, we really don’t know if the website is run by a neophyte or a security pundit.

Kill the password

SplashData’s fifth annual “Worst Passwords of 2015 list reveals that users are still putting their data and themselves at risk by using weak and easily-guessed passwords.

Default passwords, always-remain-the-same passwords, shared passwords, and weak passwords will continue to haunt the threat landscape. Simple password authentication is not cutting it anymore. Data breaches are all too common now. The hackers get it, why don’t we?



For the most part, we prefer to continue relying on plain passwords for our online accounts. In light of the continuing rise of data-breaches and identity fraud cases, tech firms are addressing this issue in earnest, and are focusing on ways to strengthen and facilitate the password paradigm, or to have it replaced altogether. — Ben Dickson, Techcrunch

W3C is working on ways to authenticate without the use of a password — known as the “Web Authentication Working Group Charter”, W3C wants to solve the password authentication problem by creating a client-side (browser) API that lets services use a pair of authentication keys to prove who you are based on the device trying to log in.

Matthew Warren, Professor of Information Systems at Deakin University, stated in a recent Sydney Morning Herald article: “Within the next decade, either passwords will not exist, or will be used with other forms of identification. Certainly the days of using passwords as the only single form of identification are numbered.”

With data breaches escalating—let’s hope that tech firms replace the washboards soon.


This post originally appeared at the Fortscale Insider Blog.


4
Comment
Author:Teksquisite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 

Expert Comment

by:bodywise
passwords are maddening.   I use last  pass.   Many of us have hundreds of passwords.  And IT guys are going nuts enforcing the change  every 3 months rule.   There must be a better way  ... soon.   Not in a few years.    Banks are using authenticators.    There are very simple rules to produce unhackable passwords but there are stupid requirements: using an uppercase, a number, a symbol but not that symbol.  Must be at least 6 characters long.    It's all maddening and veering out of control.    So good luck finding a solution now.  

Thumb prints, retina scans, lastpass,  

Interestingly,  Amazon is the only company that has perfected the simple rule: you want me to buy, make it really easy.    I don't think they have been hacked.    So this can be done.
0
 
LVL 6

Author Comment

by:Teksquisite
I use LastPass also , but even Password managers can be vulnerable. I am hoping that an alternative comes along soon. I appreciate your insight bodywise :)
0
 
LVL 2

Expert Comment

by:Jaime Lewis
I just saw this article about Amazon implementing a photo/video password system. Pretty interesting stuff! It figures that an eCommerce site would be leading the internet security charge...
http://www.geekwire.com/2016/selfie-spending-amazon-wants-patent-purchasing-photo/
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 7

Expert Comment

by:Brian Matis
I hear ya! I hate passwords. I hate them so much. I hate them with the burning passion of a thousand suns. I'd use stronger phrasing, but I'm trying not to swear ;-)

I've seriously had panic attacks about passwords. I mean, they certainly made sense long ago, back when it was possible to count the number of systems you'd need them for on one hand, but now, it's absurd how many systems we need to login to on any given day and passwords are just a broken system for that sort of thing.

Just to count a few issues:
- I like Safari's built-in password generator system, but that doesn't help when I'm on my Windows system
- And what about mobile apps that need to login? Do any password systems like LastPass easily work with those?
- Every site seems to have its own special password restrictions, so as soon as you make up a decent method of creating unique passwords for each one, it inevitably won't work somewhere (what do you mean I can't use a dollar symbol!!? arghh!!!)
0
 
LVL 12

Expert Comment

by:William Nettmann
The Quagga is on it's way back - maybe the password will survive as well!
0
 
LVL 6

Author Comment

by:Teksquisite
Thank you all for your comments = passwords must die!
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month