Despite calls from the White House to “kill the password,” it still is the most widely deployed method of access control and there is no likely replacement in sight. The password will be with us for the foreseeable future, but it could use some shoring up.
By William Jackson
The Tech Writers Bureau
The password is under a lot of pressure. Everyone hates managing it, it is decried as unsecure, and the White House wants it dead.
“I continue to challenge the research and development community to ‘kill the password’,” Michael Daniel, the president’s cybersecurity coordinator, recently wrote.[https://www.whitehouse.gov/blog/2015/02/02/strengthening-cyber-risk-management] Fingerprint readers are becoming common, companies are investing in facial and voice recognition, and mobile devices are being used as authentication tokens.
But, the user name and password remains the most widely-deployed means of authentication and there is no likely replacement in sight. Whatever its shortcomings, the password will be with us as a factor for authentication for the foreseeable future. It could use some shoring up, however.
The password has its advantages. It is easily used for authenticating users on almost any application or system, it is easy to understand, and it can be adjusted to provide the appropriate level of security by increasing its complexity. The problem is that it is difficult to scale, on both the front and back ends. Users become overwhelmed when managing passwords for multiple accounts, and help desks become overwhelmed with reset requests. The easy fix is to reduce password complexity and reuse them for multiple accounts, but that creates security problems.
Alternate schemes show promise but do not solve the password’s shortcomings. Biometrics work on a “close enough” basis and are not necessarily more secure than passwords. Digital certificates and tokens must be managed like passwords (although they do not have to be memorized), and use of a mobile device for authentication ties you to a cell phone or tablet. Most of these methods are proprietary, none are universally applicable, and many require special hardware.
If the password is not being replaced, how do we make it better?
First, accept that there is always a tradeoff between security and usability. No security is perfect, and the stronger it is the more cumbersome it is. This applies to passwords. There are reduced sign-on tools and management tools that can help users maintain strong passwords without having to memorize all of them. None of these tools are perfect; but nothing is.
Administrators can do a better job of protecting passwords. A breach of a password database is potentially more serious than the theft of a single password from its users. Encrypt these files. Encryption adds overhead and is not perfect; but again, nothing is.
And the password does not have to do it alone. Although other technologies are not ready to replace it, they can be used with passwords to provide stronger multi-factor authentication when needed.
In an upcoming post, I will take a look at the strengths and weaknesses of biometric authentication.
William Jackson is a freelance writer with the Tech Writers Bureau [www.techwritersbureau.com]
Follow him on Twitter @TheCybereye.