In my opinion, one of the most loathed activities in the annals of computing history is the use of passwords – a string of characters meant to be used exclusively to access a device, software or even facility. These days with hackers trolling the internet, the suggested best practice is to have a unique password for each device, application or facility, and ideally to change it frequently.
In the words of Shrek: “like that’s ever gonna happen!”
In his book, Perfect Passwords: Selection, Protection, Authentication, author Mark Burnett observed that "most users choose overly simplistic passwords (like 'password') that anyone could guess, while system administrators demand impossible to remember passwords littered with obscure characters and random numerals."
It was this book that purportedly inspired Intel to declare the first Thursday of May 2013 to be World Password Day to encourage good password practices.
A better way to secure access?
It's been 61 years since the first password was introduced to access a computer system, and truth be told attempts have been made to find an alternative to the password.
Simon Piff, vice president, Trust, Security & Blockchain Research at IDC Asia/Pacific says passwords are a legacy process. He also acknowledges that passwords are easy to manage and use, provided these are managed and used (and remembered) correctly.
While Piff concedes the efforts by industries to introduce "passwordless" access using methods such as biometrics to authenticate users, their popularity among enterprises remains limited.
"Only 29% of large enterprises in Asia-Pacific use Identity and Management tools, and only 27% are using any form of advance authentication."
SImon Piff
For his part, Adrian Covich, senior director of systems engineering at Proofpoint Asia-Pacific and Japan suggests consumers use different passwords, especially on critical financial and data-driven accounts. Be sure to turn on multi-factor authentication (MFA) if it is available for as many accounts as possible.
"The basic concept is to use two forms of ‘evidence’ that validate an identity before access is granted, increasing account protection. This approach frustrates the automated systems threat actors use to guess passwords or when plugging in stolen passwords," he explains.
According to Chris Hutton, global chief solutions engineer at Callsign, one of the issues of physical biometrics is that once compromised, they cannot be changed, unlike conventional passwords. He suggests the use of behavioural biometrics.
"Without adding friction to a password entry, you can get an identity score of how that user entered the password. Using muscle memory based on a credential that can change is the best of both worlds," he posits.
In more recent years, blockchain technology has been suggested as another approach to authentication. However, Boris Cipot, a security engineer at Synopsys Software Integrity Group, has yet to be convinced.
"This is still something that has to prove itself as it’s still in the early phases. Theoretically, as a technology, this presents a highly secure option and could be implemented by everyone," he opines.
Clement Lee, a security solutions architect for APAC at Check Point Software Technologies concurs adding blockchain authentication solves some of the challenges, primarily in integrity and trust coherence. "However, the key premise of an authentication process is still the same. It’s what you KNOW, HAVE and ARE," he adds.
Callsign's Hutton concurs adding that blockchain has the potential to build identification networks that are based on authentication that allows users to port, transfer and own their own identity. "Blockchain is only as good as the mechanism to protect the private key used to sign the ledger," he warns.
Piff, for his part, acknowledges that the blockchain, or distributed ledger technology, is a great way to store log files as infiltrators are unable to mask or hide their activities. Beyond a permanent record, however, it is not necessarily useful as a password management tool.
A unified approach to user security
Asked whether we will have a unified approach to user security, Check Point's Lee cites the federated identity scheme as a distant possibility.
"This is where everyone will trust the data that is not necessarily within their control. Where one government or private entity will submit all trust of the provided information from another government or private entity. This could get politically sensitive.
"The concept has been raised for the longest time but to date, there has been no one universal federated identity system. Rather, it is just a time-limited implicit trust, which gets formed and demolished easily."
Clement Lee
"Where anonymity is still something treasured by the human “trust” (or the lack thereof), a “true” federated identity for all mankind may never come to fruition," he concludes.
IDC's Piff says currently there simply is no universal process that the industry and governments agree to. "There have been discussions about using a blockchain-enabled process to host personal data that can be shared with authorised entities, but that is not the same as a central password management system. In many ways, the process of the Singapore government's use of SingPass is one of the better implementations I have seen, but it's national only – I can't see it scaling much due to the nature of politics," he opines.
Hutton posits the separation of authentication and encryption is not a bad thing. " As a user, I don’t want to authenticate the same way when I post GIFs to my friends that I would do, to transfer money from my bank.
"In encryption, each algorithm has its benefits and drawbacks for different uses. I want the right method of authentication to be selected for the right use case based on the risk of brute force/interception, the time it takes to encrypt, the time it takes to unscramble," he concludes.
Elements for architecting a security access strategy
Proofpoint's Covich says since 90% of cyber attacks require human interaction to be successful, it is important for businesses to implement a people-centric approach to security. "Ensure that both your remote and in-office employees receive training and education on basic cybersecurity best practices, including how to identify a credential phishing attempt and how to securely manage passwords," he adds.
"Passwords are one of the first critical barriers between a person, a threat actor and a successful cyberattack. One of the most common mistakes that people make is reusing the same ID/email address and password across multiple sites and devices."
Adrian Covich
"Password reuse is exacerbated by the increasing volume and success rates threat actors are reaping with advanced credential phishing campaigns that use fake websites resembling the login page of a legitimate online service to steal usernames and passwords.
"For business passwords, we recommend every three months and put an automated system policy in place that places a deadline on refreshing passwords. That policy can determine password requirements and prevent recent passwords from being used," explains Covich.
Piff observes that security is no longer static, it is incredibly dynamic. "As such a strategy needs to have built into it the ability to be agile and change with demand. Passwords too need to be dynamic, if not backed up with some form of multi-factor authentication, then potentially worthless," he continues.
