Passwords are not gone yet, so vigilance is still essential
Thursday, June 16, 2016 6:26:42 AM
Insurance helps companies offset data breach expenses
Bill Gates predicted the death of the password in 2004, and others have wished for its demise over the years. However, only now are we starting to see passwords being incrementally replaced in the technology we use. For example, I solely rely on the fingerprint scanner to access my iPhone and install mobile applications, but I need to enter my password when my iPhone restarts or a new update is installed.
Amazon’s iPhone application and Hawaii State Federal Credit Union’s banking application both allow you to log in and complete an order or manage your account using the fingerprint scanner. These are wonderful conveniences, but I still need my password to log in through a Web browser for both services. In fact, most services that provide alternate login methods still require a password to set up and maintain the service.
The death of the password seems within reach, but the fact that we still need to know and use a password shows its stubbornness to live and remain our primary security authentication mechanism. Ironically, despite Mr. Gates’ prediction, when I create a new account on Microsoft’s premier cloud services Office 365 and Azure, I’m required to provide a password. Virtually every new cloud service still relies on passwords to authenticate users. If passwords were truly on death’s door, new online services would not provide them as authentication options.
The exponential growth of the Internet of Things is breathing everlasting life into the password. Nearly every Internet-enabled webcam, light, automobile or refrigerator requires a password for secure access to the device or to the service supporting the device. Gartner Inc. forecast 6.4 billion connected things worldwide in 2016, which will reach 20.8 billion by 2020. This portends a future in which all these Internet-connected things will be recording, monitoring and analyzing multidimensional aspects of our daily lives, and all secured by passwords we create and manage.
We’ve already seen the effects of poorly managed Internet-enabled things. Search engine Shodan catalogs information on Internet-accessible devices by constantly scanning the Internet and often identifies vulnerable devices. In January it launched a tool that lets people find and view publicly available webcams. It was even able to take screenshots of what the webcam was viewing (e.g. baby monitors, industrial facilities, security monitors) because no password secured the device. Unfortunately, many people use webcams in their homes without enabling password protection. In 2014 a Russian website temporarily broadcast footage from webcams protected using very weak passwords.
In the end the password is here to stay for a long time. It is the fastest, most convenient way for service providers to deliver an online service while providing some level of security that is controlled by the consumer. When you create a username and password to access a device or service, it is immediately shared. The password is stored by the device or the service provider in order to verify your logins, meaning that it’s at risk of compromise if there’s a vulnerability with the device or in the security of the service provider. Knowing this, consumers must operate on the assumption that passwords could be compromised and manage them carefully. Reasonable password management includes:
- Creating a complex password to reduce the success of guessing.
- Avoiding reuse of passwords to prevent compromising multiple accounts if one is breached.
- Changing passwords periodically so if your password is compromised and you’re not aware of it, it will be for only a limited amount of time.
- Using multifactor authentication when possible.
- Periodically reviewing logs or accounting of logins to spot any that might not have been you.
Last, store your passwords in a secure place where you’ll immediately notice if someone has accessed them without your permission. Passwords will be with us for a long time, so we need to learn how to better live with them securely.
Michael Miranda, director of information security at Hawaiian Telcom, holds current Global Information Assurance Certification (GIAC) and is a Systems and Network Auditor (GSNA), a Certified Intrusion Analyst (GCIA) and Certified Forensic Analyst (GCFA). Reach him at email@example.com.
© Honolulu Star-Advertiser
Visit this article in the Star-Advertiser