This past week, John Proctor, a Microsoft cybersecurity expert and the Vice President of Global Cyber Security (GCI), announced that computer passwords are dead.
As he reasons in his blog post, the issue lies with Identity and Access Management (IAM). Proctor observes that most companies today focus the bulk of their attention on setting the controls that authorize user access, which can be implemented based upon a user’s group, role, or other attribute. Yet, these same companies have failed to institute strong authentication processes. Indeed, many of today’s organizations consider only a username and password as part of their identity management strategy. Proctor views this as a crucial mistake given the nature of the modern information technology landscape.
It is not hard to find evidence in support of Proctor’s claim that the computer password is dead. One need only look to the scores of recent high-profile data breaches, many of which have involved compromised passwords. Earlier this month, URL-shortener Bitly discovered it had been the victim of a breach; as a result, it required users to not only change their passwords but also reset their Facebook and Twitter connections. Later in the month, eBay revealed that millions of its users’ personal information, including encrypted passwords, birth dates, and physical addresses, had been compromised. Moreover, most recently, music-streaming software Spotify made its 40 million users re-enter their passwords and update their software following a cyber attack against a single Spotify user.
These and other compromises are largely the result of the way users manage their various email, social media, and other digital accounts. People either link their accounts together via the use of a common username (usually a single email account) or activate connections that explicitly link one account, such as Bitly, to others, such as Facebook and Twitter. This is dangerous in a world where information is abundant. As Matt Honan of WIRED Magazine points out, one could easily bypass even the strongest password protecting your email account by looking up the target user’s city and using that information to answer a security question. Once the hacker has acquired access to your email, they can then through a number of strategic password resets gain access to your bank, PayPal, and social media accounts.
The above assumes that users have strong, unique passwords for all their different accounts. Hackers could easily guess passwords such as “P455w0rd” or “123456”, especially if these are reused and have a small number of characters. However, even long-character passwords are not safe: the password cracker ocl-Hashcat-plus, for instance, can compromise passwords with as many as 55 characters.
Given the vulnerabilities of passwords presented above, Proctor recommends in his post that companies institute processes that require not one- but three-variable authentication, which could involve users needing to present a smart card, a PIN, and their unique biometrics to gain access to a system. These methods are easy to crack by no means. However, they are strong substitutes that could to a certain degree help prevent company information from being stolen.
Even so, though the password is dead, the implementation of corrective controls would not apply to outsiders. Passwords are still the go-to means for external users to access their accounts online. As a result, it is only reasonable to expect that more breaches are on the way.