26 September 2014

Passing comment on passwords (Part two)

I very much like the idea of needing to remember just one secret that I can use to logon to all of my online services, so the concept of a password manager is in many ways very appealing. However, this week I was not at all surprised to read that a UC Berkeley report has found five popular password managers contained critical vulnerabilities.

My problem with this type of solution is the fact that every single one I have investigated to date uses a password at the front-end! Yes it is true that this approach means you only need to remember just one password, so one major bugbear of password usage has been nullified. But if someone cracks that code, then they now have access to all your accounts, meaning halcyon days for the identity thieves and fraudsters out there.

Meanwhile, it seems that not a day goes by without the revelation of a new biometric innovation that is heralded as the next big thing in authentication. We have had fingerprints, palm vein, voice and facial recognition, and now in a story published online by Time it seems we can now all be identified by our heart rhythm using an ECG-authenticating wristband. Authentication in a heartbeat if you will!

However, in an article published by the Washington Post entitled ‘We know the password system is broken. So what’s next? Hayley Tsukayama takes a closer look at the viability of using some of the mainstream biometrics as an alternative to passwords. Having experienced biometrics first-hand (I once lived in South Africa in a gated community) I am very dubious about their effectiveness. When I first moved in we were issued with a card to gain access, but these were soon replaced by fingerprint readers and they often failed. As a result the security guard on duty would check to see if he recognised me and would then use his fingerprint to open the gate. My point is that if a biometric fails, what do you do? And therefore biometrics will only ever be as strong as the back-up you have in place.   

Meanwhile, amongst the masses of news stories bemoaning passwords an article published on DARKReading by Corey Nachreiner stands out like a sore thumb as he bravely puts a case for the defence of passwords. He argues that if you adhere to best practice you are likely to be OK. He may have a point, but the problem with this approach is that it means creating many different and complex passwords for each of the online resources that you use, and that brings us back to the reason password managers have grown in popularity!

A password manager that doesn’t rely on a password would be an immense step in the right direction in marrying convenience with security.

Author: Alissa Lang, Winfrasoft

No comments:

Post a Comment