Back in 2001, someone wrote, “In the near future, I am certain we are going to replace passwords. Maybe a better way to put it is that we are going to replace all those passwords with just one.” Who said that? Oh, yeah, right, it was me, in an article entitled “Why Passwords Persist.”1
Okay, I was wrong. Worse yet, I am still guilty of many of the information security sins that I described in that ancient article: using the same one too often and then writing them down. (At exactly this point, I received a message from the identity protection service to which I subscribe. It seems that someone somewhere was trying to sell one of my outdated email addresses, complete with a password. Fortunately, it was not the password associated with that account, but it was one I have used on other relatively immaterial websites. There ensued a furious session of changing passwords on every site I could recall.) Mea culpa, but I would never be able to get through a typical day if I had to remember hundreds of distinct passwords.
Societal Acceptance
And that is the underlying rationale for why passwords persist, even now. The myriad organizations that run websites and other online services want to make it easy to access their sites while at the same time providing a level of security that potential users/customers will accept. And around the world, we do accept passwords. We, or at least the more sophisticated security folks among us, know that passwords are less than foolproof, but we do nothing about them. The fault is not in our systems, but in ourselves. Passwords persist because we allow them to be the basis of the security on which we depend.
There is no demand for identification and authentication mechanisms stronger than a user ID and a password. I have never communicated with any of the services I use—and many, many other people also use—to say that I do not trust their security and ask them to issue me a token. Or a digital certificate. Or to scan and record an image of my retina.
There appears to be a societal consensus that passwords are a sufficient form of authentication. They are good enough because we have used them for a long time, because most days nothing goes wrong and because most people accept the security they provide.
The question for information security professionals is whether good enough is good enough. I reluctantly conclude that the answer is “yes.” That is not because the level of security is sufficient for most commercial transactions, although that may be the case. However, the issue is more about marketing than it is about security. Those of us who do not believe that passwords offer adequate authentication have not pressed the owners of the systems we use enough to convince them to adopt alternatives.
A Little Experiment
So I performed a little experiment. I tried to call a few of the services I use the most often and ask for enhanced security. Alas, for many services I could not even figure out who to call to complain about their use of passwords for security. Finally, I remembered that I could call customer service at the company that supplies the security software on my personal computer. I was told, “Sorry, user ID and password is all that can be offered.” This was my security company.
I was asked if there had been a problem with my password. Since there had not been, they seemed a little puzzled as to why I was calling them at all. And, in a sense, they were right to be confused. Passwords work very well as a security mechanism. Except when they do not. Except when somebody intercepts them, or guesses them, or just looks over my shoulder as I enter one of them. But I can always change my password if it is taken, so what is the problem?
The problem is that I have no way of knowing that the secrecy of my password had been breached. Maybe whoever took it has not used it…yet. Maybe it was the password to an inconsequential site and all the thief was able to do was read the newspaper to which I subscribe. The problem with a mechanism that relies on secrecy is that a failure of that secrecy is a secret, too.
Better Passwords?
In recent years, organizations that have become more aware of the need for improved security have pressed users to strengthen their passwords. They must be 8 or more characters, include a capital letter, a number and a special character and cannot spell a word known in any language. None of which justifies the underlying shortcomings of passwords to protect me and the information to which I have access. Harder passwords might deter guessing and shoulder-surfing, but do nothing at all against those who are able to undermine the security of my communications and who can then steal any and all of my passwords. As cyberattackers become more adept, long, convoluted passwords will be rendered useless; users will not remember them, but attackers can steal them all the same.
When I wrote in 2001 that we would be rid of passwords in the future, I believe I had in mind that that future would have arrived by now. But maybe the day will come tomorrow and I will be proved right. (Oh, heck, no it will not.) There are some uses of information that, in many organizations, require passwords plus. These call for at least 2 means of authentication or 2-factor authentication (2FA). Remote access, high-value transactions, access to system internals and any particularly vulnerable use of information resources justify 2FA in many organizations. This is implicit acceptance that passwords alone are not good enough.
I do not expect that ISACA’s 75th anniversary will be the occasion for another retrospective assessment of something I am writing today. But I do have a strong hunch that if anyone wants to read new articles on whatever will replace the Internet by then, he or she will need to enter a password to see it.
Steven J. Ross, CISA, AFBCI, CISSP, MBCP, is executive principal of Risk Masters International LLC. Ross has been writing one of the ISACA Journal’s most popular columns since 1998. He can be reached at stross@riskmastersintl.com.