The beginning of the authentication ice age
Hard tokens and the difficult choice for retail banks
This week I was invited to sign the new online Petition Against Passwords which I was delighted to do and I urge you all to do the same.
We at Winfrasoft have been banging the drum to make this dinosaur of the security world extinct for several years now, and it seems that real momentum is at last being gained. However, there is a long way to go before we can condemn passwords to an authentication ice age.
Visit Google and it will give advice on passwords that says “Passwords are the first line of defence against cyber criminals”. It's crucial to pick strong passwords that are different for each of your important accounts and it is good practice to update your passwords regularly. Follow these tips to create strong passwords and keep them secure.
This advice is as recycled as many of my passwords! Also to be honest, how many of us (even those of us in the IT security industry who should know better) adhere to this process rigidly? Today, we need passwords for so many online services, so we either use the same one repeatedly, which is not ideal from a security standpoint, or we simply forget and waste valuable time getting it reset time and time again.
Crucially, every time we enter a password we are giving it away and are at risk from malware, cyber crime attacks and data leakage.
In fact, when John Shepherd Barron, the chief inventor at De La Rue invented the first ATM machine in the 1960s, he proposed a six digit PIN, but his wife suggested four as it was easier to remember. Imagine if he had proposed combination of eight case sensitive alpha numeric characters! The thing is, as humans we are programmed to memorise patterns far easier than a sequence of letters and numbers.
Of course, some sites will invite you to remain logged in, but that defeats the purpose of the password in the first place. Also these days, we are likely to be accessing the site from multiple devices (tablet, laptop, desktop PC, smartphone), so being logged in to all of them all the time increases the risk of identity theft and fraud.
The burden of forgetting passwords is not only an inconvenience for the user; it is also a burden for the organisations that implement them. A financial services house in South Africa recently calculated the cost of the number of calls its IT helpdesk was receiving to handle password resets. Of the 3,000 calls they handled each month, 40 per cent were related to passwords, and with an average cost of £23 per reset, it was costing the company £27,600 per month and £331,200 annually.
Those in favour of password protection (although it must be said these people are becoming as rare as the Tyrannosaurus, and they often have a vested interest) argue that there is no viable alternative, but this is simply not the case.
If these people had wandered around the aisles, or visited the seminar theatres at Infosecurity Europe several months ago, they would have seen and heard from vendors about a plethora of solutions, such as pattern-based authentication, that are more secure, easier-to-use and far cheaper to administer in the multi-device, multi-platform, multi-service environment in which we work, shop and play.
The password is one of many authentication dinosaurs that we need to confine to the history books, along with key ring generators, calculator tokens and card readers, all of which continue to roam the wild.
Steven Hope is CEO of Winfrasoft