Farewell to passwords
Why it’s time to say G00d!bye
“Passwords aren’t the best security solution,” Yaron Baitch, LastPass’ senior director of products, told us. “Their strength depends on humans, who are prone to errors… but they are cheap, scale well and don’t require a lot of technical expertise to implement, so they’ve been difficult to replace.”
The problem, Baitch explained, is that too many of us recycle the same password across multiple accounts (of those who do vary their credentials, 39% create more secure passwords for their personal logins than they do for business). So, if staff credentials have been leaked somewhere else, someone outside of your business could have the keys to your network.
That’s more chilling when you consider that, according to Sophos estimates, 150 million user records were exposed in the Adobe breach of 2013, while almost a billion records were involved in the 2016 Yahoo leak.
“Your entire life [can] come tumbling down because someone has access to that single password,” said Will Moore of 1Password creator AgileBits, but that doesn’t mean passwords have had their day. The key is to mix things up, he said. “Every website you log into needs to have a different and secure password. That’s the only way a password will remain secure now.”
Both 1Password and LastPass help: they can generate and store passwords to be filled in automatically when the user next needs them, removing the burden of remembering each one, or the temptation to write them down. My1Login performs a similar function, working with a wide range of online services and local applications, but it hides the password from the weakest link in the chain: the end user.
“If everybody was using high entropy, long, random passwords the world would be a much more secure place,” said Mike Newman, My1Login CEO. “The reality is they don’t, so it’s in organisations’ interest to move on from that as quickly as possible.” My1Login’s approach is to only allow employees access into systems via the corporate My1Login account.
Passwords are still there, then – it’s just the way they’re being used that’s changing.
Two-factor authentication
Two-factor authentication (2FA) is further prolonging passwords’ useful life. Commonly used by banks, and websites that invoke an extra layer of security when they spot a user logging in from an unknown browser, 2FA often involves sending a PIN to a
“If staff credentials have been leaked somewhere else, someone outside of your business could have the keys to your network”
mobile phone or using a time-based code generator to produce a number that needs to be entered alongside the password. Only if the password and code match can the user proceed.
Baitch describes it as “one of the most straightforward and secure safety measures currently available” and something that should be implemented wherever possible, because it “protects user credentials from password-guessing software, eliminates the collateral damage from successful phishing attempts, and adds protection for consumers.
“Security should [also] be situation-dependent,” he added. “A privileged account with access to critical company data should have role-based restrictions in place and heavier protection measures. It’s not just about where the data is stored (though that’s certainly an element) – it’s also about the type of data, and what its loss would mean for the business or customers.”
Moore, at 1Password, has similar ideas. “The key for business is to find a balance between security and usability. If you have an insanely secure system but you have 300 staff who are forgetting passwords and not being able to get in, that’s a huge headache.”
Passwords in the future
With passwords cheap to issue, and easy to change and administer, they’ll be with us for a while. Increasingly, though, they’re part of a security mix, rather than the complete solution.
“If I’m in charge of a bank vault I’d want retinal and fingerprint scans, voice recognition and so on,” Moore said, and his requirements for getting into his work computer, while less ambitious, aren’t that far removed. “I have a strong master password but I don’t type it very much because I use the thumbprint reader on my iPhone 7 or my MacBook Pro.”
By pressing a digit against the reader, he can authorise his password manager to unlock his credentials, at which point a keyboard shortcut will automatically complete the login boxes on whichever service he’s using. It means he can set randomised, impossible to remember passwords, which are hard to guess and never replicated.
Retinal scans and voice recognition are starting to trickle down to higher-end consumer grade kit, but deploying it in small-to-medium sized businesses is far from trivial. Biometrics “can often be challenging to implement, because of cost barriers, integration challenges, or user adoption,” Baitch said. “It’s becoming more prevalent, though, and while it’s not as pervasive as a fingerprint scan, there is growing momentum towards alternative biometric methods.”
“There’s often a lot of hype about the next password replacement, and the death of the password, but the reality is that a lot of these systems will take a long time to become widely pervasive,” said Newman. “Even fingerprint scanning was introduced on PCs in the 90s.” It’s taken until now for us to find a widely adopted real-world use for it.
Now, he added, “we’re starting to see standards emerge, like SAML 2.0 [Security Assertion Markup Language 2.0], which define authentication protocols. Not all apps use it, but our view at My1Login is that because passwords aren’t going to disappear any time soon we can [at least]
“Passwords will become less visible over time – certainly in business – but they’ll still be with us for the foreseeable future”
eliminate the burden of passwords for end users as we go through this evolution towards a password-free world based on tokens.” Baitch is encouraged by schemes like SAML 2.0 “It’s a viable alternative to the password because it passes secure authentication data between the user and a service while eliminating the element of a password. Any cloud service provider can offer single sign-on for their service with SAML 2.0 since it is an industrywide standard.” If we’re moving towards cloud-based security, the next step could be bring your own identity (BYOI) – a trend that Newman sees gaining traction. “Organisations know their staff have a smartphone with fingerprint reading, and they’re asking whether they should delegate some of the trust to that device that they know has been authenticated.” In such a scenario, a service such as My1Login sits in the background, monitoring connections from authenticated devices and acting as a gatekeeper. As far as the end user is concerned, their phone would be doing all the hard work, while they experienced the same smooth, unified process whatever device they’re using. Passwords will become less visible over time – certainly in business – but they’ll be with us for the foreseeable future. And they’ll be combined with supplementary tools and background services that strengthen the weak link in the security chain. By which we mean, of course, us humans.