28 April 2015

Making Passwords Easy to Digest

I am all for making security easy to digest but actually eating passwords is taking thing a step too far in my book.We have all seen the movies where someone eats a piece of paper containing the evidence, but does anyone seriously think this could be the future of authentication? It seems there are people that do!

Security professionals are familiar with the ‘traditional’ authentication factors such as...
  • Something you have – A key-ring token for example
  • Something you know – The username and password combination
  • Something you are – The biometric in all its forms
However, last week some new factors were proposed…
  • Something you have eaten
  • Something you have implanted
  • Something you have injected
These concepts have been mooted in the past as a flight of fantasy, but now PayPals’ Global Head of Developer Evangelism, Jonathan Leblanc has suggested to the Wall Street Journal that ‘natural body identification’ in the form of edible, injectable and implanted devices, could well be the shape of things to come, with current biometric techniques a stepping stone. For those of you old enough to get the reference, it is all starting to sound a little ‘Logan’s Run’ to me!

Whilst I appreciate that our industry need visionaries to help break the stranglehold passwords have on our lives, it is also important that we don’t get carried away. Passwords have been used for hundreds of years in one form or another and whilst people are tired of them, I believe this type of talk is not at all helpful in moving the conversation forward.

Yes, this type of story does grab the headlines but the truth is why would anyone want to use these proposed forms of identification? Especially when there are methods available today that are proven to be practical, affordable and far less invasive. Also, whilst an ingested tablet may be able to identity you that isn’t the same as authenticating you, and in most scenarios we find ourselves in today, it isn’t just about proving that we are who we say we are, but also, that we have the permissions to do what we want to do. 
So, I hope this in years to come it will be those who suggest such crazy ideas that are eating their words and not consuming passwords!

Author: Alissa Lang, Winfrasoft

22 April 2015

Sharing Passwords on National Television

A few days ago I wrote about a recent survey which found employees would be willing to sell their passwords. However, it now seems to be about giving them away for free, by broadcasting them to the nation, in what turned out to be perhaps one of the most ironic television interviews of the year.

You may recall that the French broadcaster TV5Monde was the subject of a major hack, thought to be orchestrated by Islamic State supporters, which caused the station to stop broadcasting for over three hours. But, in what turned out to be an embarrassing interview with a reporter to discuss the incident, a representative from the station could be seen standing in-front of a wall plastered with notes revealing the passwords to accounts such as the station’s Instagram, Twitter and YouTube channels.

Of course, accidentally broadcasting passwords is very different from an employee selling them, but the fact that they were placed on the wall in the first place highlights the theme that employees do not see significance of sharing and disclosing passwords, even when an organisation is in the midst of recovering from a severe cyber-attack. Secondly, the only reason that the passwords would have posted on the wall in the first place was clearly for convenience and ease-of-use, as it means no-one needs to remember them.

The problem with passwords (well one of them) is the fact the for most people they are perceived to be a barrier that is in the way of them getting to where they want to go, and not an intrinsic and important security measure. So, it is inevitable that employees will look to find ways to make the barrier smaller, whether it is posting on the wall, displaying them on a post-it stuck to the monitor, or making them as easy to remember as possible.

So, to counteract this behaviour you need to educate employees as to the importance of security, whether it is accessing the corporate network or the Twitter account. After all in the eyes of the media a data breach is a data breach. Realistically, a hacker is unlikely to do much damage by gaining access to a social network account, but the fallout and reputational impact can be immense and hard to recover from.

Furthermore, you need to look at the password as a tool and ask, if people find them difficult to remember and how can we make it easier? Or, could we do without them altogether? Yes, this contradicts many calls to make passwords stronger and more complex, but that has been said for many years now and it isn’t working.

The time has come for a new approach that makes it easy for employees to play their part in keeping the organisation secure by removing the burden of remembering a password. For more information check out PINgrid.

Author: Alissa Lang, Winfrasoft

17 April 2015

Would your employees sell their company passwords?

We have too many passwords, it is tough to remember all of them, they are not as secure as we would hope (regardless of how ‘strong’ they are) and it costs IT helpdesks a small fortune to handle the constant stream of reset requests. These are all familiar pain-points of the password, but if a new survey is to be believed it would seem that organisations need to watch their back, as one in seven employees are willing to sell their passwords for as little as $150.

This was the finding of a global survey conducted by the identity management company SailPoint earlier this year. This says two things to me, the first is that organisations need to better educate their employees as to the ramifications of a security breech, as I am sure many people are naïve to what a determined criminal can accomplish with one single password. Secondly, if people could be tempted to disclose their password for such a relatively small sum of money, we as security professionals need to take a close look at how we can remove the temptation.

It is often said that the human factor is often the weakest link in the security chain. So clearly, the most obvious way to stop corporate passwords being sold is to remove the need for people to have them in the first place. After all if you don’t have it you can’t sell it! You may say “Easier said than done” but in truth it is simple.

The ubiquity of passwords has for too long made IT departments and security professionals wary of replacing them. This is coupled with the fact that the available alternatives, such as biometrics, have been accompanied by hefty price tags, challenging roll outs and resource intense management. However, new solutions such as PINgrid are taking the elements of password-based security that work well and replacing those that don’t.

So, if you are an employee you still login using a passcode, but it is a one-time-code generated from a pattern that you have memorised within a simple grid (either displayed on-screen, or via an app on a mobile device). Of course an employee could sell their pattern but it would be worthless as the digits within it are never repeated in the same sequence. Therefore, they would also have to sell their device along with it and I don’t know anyone who would be willing to be parted from their phones (whether their own device or a corporate owned one) for a few minutes let alone sell it (apps intact) to a total stranger! 

Author: Alissa Lang, Winfrasoft