Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Philosophy

I

advertisement 
IS SECURITYMATTERS
Why Passwords Persist
By Steven J. Ross, CISA
I
t is a universally acknowledged truth that passwords, as a
reliable means of authentication, have well outlived their
usefulness. The premise of passwords is fairly simple: If
you know something, and only you know it, then reference to
that secret can prove that you are the person you say you are.
And if that “something” is a more or less random string of
characters, then it is unlikely that anyone but you would be
able to figure out what it is that you know, so no one can
impersonate you. Fairly simple, yes. Fairly wrong, too.
For one thing, knowing a secret does not prove that you are
you. It proves only that you are the person who claims to be you
on the basis of supposedly secret knowledge. However, there is
no indication that the knowledge is in fact secret or that you
yourself have it. Every production of Othello is based on this
fallacy. Moreover, the fact that the secret is a random string does
not hold up well either. For one thing, many strings that are supposedly random can be decoded. For another, if the string is
intercepted while in transmission or use, it is no longer secret.
Worse, we have created the myth of the “better” password,
one that contains special characters, numbers, cases and length
such that it cannot possibly be guessed. Try out x3%j4R1d. Go
ahead, try it. Try typing it. Wasn’t easy, was it? Now close
your eyes and try to remember it. Even harder, eh? If you had
to use a password like that, you would write it down, no doubt,
thereby undermining the premise that it is known (or knowable) only by you.
And yet we all have passwords. I know I do. Oh boy, do I
ever! I have passwords on top of passwords on top of passwords. One for the LAN, another for the WAN, still another
for the HR system, another for e-mail, yet another for
timesheets and a numeric code for voice mail. And those are
only the ones I use in the office. At home, I have them for my
Internet provider, my bookseller, my travel agent, three or four
airlines, my bank, my trading account, my credit cards, even
the company where I buy presents for my kids. Here’s the best
of all: I belong to a security society and I have a password to
get to its site!
Security professionals and IS auditors have spent so many
years advocating “better” passwords that it is hard now to see
their flaws, but flaws there are. They give you protection, but
in fact it is just a feeling of protection. That wonderful, warm
sense that you’re safe and secure is all a pretense.
Passwords are a form of shared secrets, useful only if they
are secret. But you have a lot of things working against you,
compromising the real security that you think you’re getting.
For one thing, with all the passwords flying over all the networks, somebody who really wants one can get one—one of
yours, that is. For another, hackers really do have ways of
cracking password files and extracting them. Not from every
system, to be sure. But, like so many users, you need to have
some sort of mnemonic to remember all your passwords. So
you use your dog’s name, your birthday, a classmate from
school or something else you will not forget. And, thus, once a
password is cracked on a weak system, along with a universal
identifier like a credit card number or a social security number,
it can be used to enter a stronger system.
Even if you are really careful when you choose passwords
and use them, you cannot remember them all; there are just too
many. So if you are like me and most other users, there are
only two alternatives: make them all the same or write them
down. Since different places have different formats for their
passwords, you cannot make them all the same, so you make
most of them alike and write down the rest: the worst of both
worlds! In the interest of security, you are forced to change
your passwords, but on different schedules, so it becomes
impossible to remember them all. Hence, you write them
down. Of course, I’m sure you don’t write them down on a
piece of paper and put it in your wallet; you probably have a
list in a file on your PC. And I wager that the name of the file
is password or similar. This way, when your system is penetrated, the hacker will get all your passwords in one neat
package.
(The astute student of grammar will note that I have been
switching between voices, I and we and you. I know that I am
at fault with password misuse, and I know that many others are
as well, so I’m including you, too. If you have not been guilty
of password overuse, you can skip this article. For the rest of
us….)
The first step is to recognize that you have a problem. If
you’re not sure about that, consider what would happen if your
hard disk crashed and your password file were wiped out. How
many systems, how many sites would you be unable to reach?
What would you do? Whom would you call? If you are not
comfortable answering these questions, you have a password
problem.
It is easy to acquire a password problem. For many of the
web-based activities that you want to partake in, a password is
required. For many of the platforms you need to access at
work, a password is required. You are not collecting passwords, you are adding functionalities, but the result is the
same. You cannot blame the system designers; they are mandated (perhaps by a security standard only a few years old) to
provide protection for their systems, protection prescribed as
passwords. And you cannot blame the web sites either. To
them, it is just a business and you are a customer, a willing
customer at that.
Many web sites protect your password with SSL, and that is
indeed potent protection. In this case, you do not just feel
secure, you are secure, but only while you are running under
SSL. The password you enter is safe, unless someone else gets
it first. It is like having the world’s best lock on your front
door and then handing out the keys.
Fortunately, the outlines of the solution are becoming
apparent. In the near future, I am certain we are going to
replace passwords. Maybe a better way to put it is that we’re
going to replace all those passwords with just one. Only it
won’t be a password as such. It will give us the same access
we have, maybe better, but we will not have to remember
anything, will not have to write anything down. It’s called a
certificate.
Of course, certificates are not a perfect solution. They come
with their own bag of problems, but it is a much smaller bag
than the one carried by all those passwords. The point is that a
certificate—a digital string using cryptographic functions to
ensure identity—gets a trusted third party to vouch for you.
Everybody who can read the certificate knows you are who
you say you are, that you can do what you say you can do.
But until everybody has certificates, until everybody (or at
least a lot of us) is using them, passwords will persist. They
exist because we have made them exist and they will not disappear until we all realize their weaknesses. We all have to get in
with certificates or we will all be left out. It is a new way of
doing things, a new order. Of course change is scary. But all
those passwords you are carrying around are pretty scary, too.
Steven J. Ross, CISA
a director at Deloitte & Touche, welcomes comments at
stross@dttus.com.
Related documents
QUICK SIGN ON CHECKLIST
QUICK SIGN ON CHECKLIST
Security Safeguards Attachment C
Security Safeguards Attachment C
Download
advertisement