Why You Can’t Kill Off Passwords

Many authentication technology pundits like to post articles about killing passwords. They bloviate on how passwords need to be replaced by a different factor of authentication, why other factors of authentication are more secure than passwords. To this, I say, “Bull!”

Authentication factors don’t govern security; it’s the authentication infrastructure that determines security. If the infrastructure is flawed, you can’t trust the authentication. If credentials have no anti-cloning, forgery occurs. If fingerprint biometrics can’t distinguish a live from a fake finger, false verification occurs. If password management is insecure, the virtual front door is unlocked.

Most credential and biometric authentication developers understand the importance of securely managing the infrastructure. But for whatever reason, the computer industry has ignored the importance of securing the password infrastructure. One of the main goals of these articles is to reveal exactly how to make passwords secure.

When security pundits suggest that you secure passwords by:

• Issuing new policies and compliance rules
• Creating a longer password
• Making passwords more complex
• Frequently changing passwords

You need to realize these suggestions have nothing to do with infrastructure security. You strengthen password infrastructure by implementing:

• Encryption, hashing and hash-salting algorithms
• Multifactor authentication
• Pre-site verification before password injection
• Forbid employee-managed passwords

The endless computer breaches and password database thefts have caused some security pundits to rail against passwords. Michael Daniel, former U.S. Cybersecurity Coordinator (Cyber Czar), once said,

“One of my key goals in my job that I would really love to be able to do is to kill the password, dead.”

What would replace passwords? Certificates? Biometrics? Smartphones? Or something else? Each of these “replacements” also has flaws that hackers exploit.

One authentication technology (note that I did not say “factor”) that models a secure infrastructure is “digital certificates.” A digital certificate infrastructure combines cryptographic functions (symmetric ciphers, asymmetric ciphers and hashing) with technology and services (registration and certificate authorities, encryption acceleration hardware, key issuance/management software, hardware security modules and MFA). This infrastructure generates an electronic “passport.” This passport allows individuals, computers and organizations to trust each other over the networks and exchange information securely.

Certificate authentication, which can be very expensive and is frequently not necessary for every business environment, offers high levels of assurances that the identity of a person or device is who or what they say they are. However, there are many cases when sloppy identity authentication, poorly managed keys and the subpoenas of private keys make certificate-based systems just as weak and vulnerable as poorly managed password systems. Because of the overall complexity of certificate-based systems and the false sense of security some IT managers place in digital certificates, they can make a network more vulnerable to an attack than many security experts are willing to acknowledge.

When cracking passwords becomes as difficult as cracking cipher keys, then passwords will be secure. ~Dovell Bonnett

Biometrics also has high costs and implementation considerations. You can’t replace your eye, re-design your fingerprints, and unless you like pain, facial changes are virtually impossible. A compromised biometric is a biometric compromised for life. The sensitivity settings often create False Positive and False Negative verifications. Whether it’s using a Gummy Bear or 3-Masks, hackers have bypassed every commercially available biometric system. To mitigate these shortcomings, manufacturers add new technologies and sensors to their readers. These security improvements often come at a higher cost.

Selling smartphones with Secure Messaging Service (SMS) is an attempt to pass it off to businesses as multifactor authentication. It is not. At best, it is double-single factor authentication, or as they describe it now: “two-step verification.”

Tune in next week to learn how to make passwords just as secure as certificates!

Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).