Saturday Soapbox

Cryptogram is a monthly newsletter produced by security guru Bruce Schneier. I have a lot of respect for Bruce’s writings, and he’s been an influence on my own security views. Anyway, this isn’t supposed to be testimonial to the work of another person, so I shall get to the point: in the latest edition of Cryptogram, there is an interesting quote: “the reality that passwords have outlived their

usefulness as a serious security device.”

I couldn’t agree more, but this is not a new message. At last years security summit in London, for instance, Ant Allen of Gartner stated that “passwords are no longer adequate, as threats against them increase.” But so much for the propaganda, are passwords really obselete and, if so, then what are we to do about it? It’s all very well these pundits telling us what’s wrong but they are not exactly forthcoming with a solution!

Neither are many supposedly highly secure web sites. My bank, for instance, requires me to authenticate using a username, password, and “secret” answer to a question such as “mother’s first name. Other solutions include drop-down lists, random letters, random questions, pictures, membership numbers, enforcing long and complex passwords…it’s a mess! Every one of these solutions is immediately defeated if the user’s computer contains spyware or a keylogger, or if the user is sitting on a public wireless access point having his traffic sniffed off the network.

Occassionally we hear a story of some business or other enforcing two-factor authentication onto their customers. See this blog entry for a reminder about what I think of that. And even if 2FA is a good solution for your web product, can you imagine if every web site enforced it? We’d be carrying around a case full of tokens for all the web sites we need to access, trying in vain to remember which one is for which product.

The question I have is can we ever really be 100% sure that user A really is user A and isn’t a 53 year old man pretending to be a 23 year old woman? Maybe biometrics is the answer? Now then, I know certain of my colleagues will point to incidents such as this where a man had his finger cut off by car thieves so that they could gain access to his biometrically protected car, and if finger print entry is enforced then doubtless some enterprising hacker (no pun intended!) will find a way around it. I think a much bigger issue would be the question of businesses being entrusted to store such highly personal information.

Maybe some form of smartcard based authentication coupled with single-sign on would solve the problem. But again, which authority do we entrust with all of that information?

I think we need to think of something beyond our perception of present day processing and it will be some time until we get there. So, for now the best that we can do is to protect customer data from the inside out: that involves setting up processes to detect fraudulent account use, making sure that we have adequate audit trails, and above all: only storing and using the data that we really need in order to perform business.

We are stuck with passwords for the foreseeable future and while Gartner’s researchers can harp on all they like about them being obselete, while I still need a username and password to access Gartner’s own data then it’s going to be a while until we see any significant changes!