The not-so-funny thing about passwords

There is an emerging problem with the traditional password. In reality, it is no longer an emerging conundrum, but, it is well entrenched within every organization, home office, and remote location. The dilemma is in technological proliferation coupled with the obvious need to provide accessibility to our users.

A great example illustrating the problem comes from two disparate fronts that have a common Achilles heel. The most popular attack vector today comes in the form of hunting and gathering. Our users now have a growing collection of passwords they need to keep for access to everything from the personal and professional e-mail applications to their social networking accounts, banking sites, and corporate network access. Since memories are short and people tend to forget the password to a program they might only use but once a month, the typical and understandable part of human nature is to use the same password for everything. Suddenly, and hopefully, the problem is clear to you now? If I have one key to unlock my access to the house, all vehicles, the office, the bank, and social venues, a single compromise of that singular key now grants access to my entire world.

If people built it, it has vulnerabilities. They may not be apparent today, but rest assured, they will be discovered tomorrow.  You should consider and plan accordingly for them to be exploited. The solution or business driver should come from two fronts in my opinion. First, end users should demand that their identities by rigorously protected from the constant threat that lurks in wait. The second facet comes from the system providers. We who offer critical and sensitive access should consider the implications of failure. The loss of sensitive information might be our own, it might spell the demise of our company, the damage of our collective identities, finances, revenue streams, and reputations.

I have witnessed or read where “Security Experts” recommend that employers address the problem in an employee user policy stating that a good policy would require employees to use a different password for each work-related account with currently supported password complexity. While I do agree that complex passwords are necessary and that different passwords for different systems are advisable, this will never be a desired, accepted, or acceptable approach to solving the “Not-so-funny thing about password” problem.

Passwords are antiquated and increasingly susceptible to compromise.It’s simple and complacent human nature that increases the risks. Technical controls will mitigate all the risks, including those induced by human nature. I would suggest, and it is currently my leading choice, that the humble password should be replaced with out-of-band-authentication mechanisms. This approach provides multiple authentication channels that are enormously difficult to intercept, it provides one-time passwords that humans do not need to create or keep track of, and this approach is easily integratable into virtually all of our existing applications and systems. One of those channels comes from the passwords you already use, the other channel leverages the ubiquitous mobile device, the corporate VoIP system, or even Grandmother’s land line phone, which all provide the necessary token to make this scenario work.

I’ve reduced my technology operational expenses, increased system availability, significantly reduced human error and risks, all the while providing a modern, elegant, and intelligent approach to providing access. In my experience, this has been a nice win-win scenario rarely seen with humans interface with computing machines.