“Passwords are starting to fail us when used everywhere at internet scale,” said PayPal’s Chief Information Security Officer Michael Barrett at this week’s Interop expo in Las Vegas, showing off a tombstone marked with the words, “Passwords 1961 – 2013.”
“Passwords are running out of steam as an authentication solution. They’re starting to impede the development of the internet itself,” says Barrett, as reported in CIO magazine. “It’s pretty clear that we can’t fix it with a proprietary approach.”
Mr Barrett pointed out how passwords published online after data breaches in recent years showed that insecure passwords such as “12345” and “password” remain among the most commonly used, despite attempts to educate users.
“Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”
Barrett is President of the Fast Identity Online (FIDO) Alliance, which aims to replace passwords with a secure, industry-supported protocol which is also easy to use. FIDO is investigating technologies such as fingerprint scanners, voice and facial recognition, as well as existing solutions such as Near Field Communication (NFC) and one-time passwords.
Professional services firm Deloitte said this year that even passwords considered “strong” by IT departments are now vulnerable.
In Deloitte’s Technology, Media and Telecommunications Predictions 2013, the firm predicts that 90% of user generated passwords will be vulnerable to hacking this year.
ESET Senior Research Fellow David Harley says, “Static passwords are problematic – even a good password is next to useless if the provider doesn’t take good care of credentials data and allows unlimited retries. The trouble is, that password authentication on the Internet is cheaper and easier to implement than most of the alternatives.”
Harley’s post, “Passwords and PINS: the worst choices“, outlines some typical traps users fall into.
Products such as ESET Secure Authentication can help businesses add another layer of security.
Author Rob Waugh, We Live Security