IS SECURITYMATTERS Why Passwords Persist By Steven J. Ross, CISA I t is a universally acknowledged truth that passwords, as a reliable means of authentication, have well outlived their usefulness. The premise of passwords is fairly simple: If you know something, and only you know it, then reference to that secret can prove that you are the person you say you are. And if that “something” is a more or less random string of characters, then it is unlikely that anyone but you would be able to figure out what it is that you know, so no one can impersonate you. Fairly simple, yes. Fairly wrong, too. For one thing, knowing a secret does not prove that you are you. It proves only that you are the person who claims to be you on the basis of supposedly secret knowledge. However, there is no indication that the knowledge is in fact secret or that you yourself have it. Every production of Othello is based on this fallacy. Moreover, the fact that the secret is a random string does not hold up well either. For one thing, many strings that are supposedly random can be decoded. For another, if the string is intercepted while in transmission or use, it is no longer secret. Worse, we have created the myth of the “better” password, one that contains special characters, numbers, cases and length such that it cannot possibly be guessed. Try out x3%j4R1d. Go ahead, try it. Try typing it. Wasn’t easy, was it? Now close your eyes and try to remember it. Even harder, eh? If you had to use a password like that, you would write it down, no doubt, thereby undermining the premise that it is known (or knowable) only by you. And yet we all have passwords. I know I do. Oh boy, do I ever! I have passwords on top of passwords on top of passwords. One for the LAN, another for the WAN, still another for the HR system, another for e-mail, yet another for timesheets and a numeric code for voice mail. And those are only the ones I use in the office. At home, I have them for my Internet provider, my bookseller, my travel agent, three or four airlines, my bank, my trading account, my credit cards, even the company where I buy presents for my kids. Here’s the best of all: I belong to a security society and I have a password to get to its site! Security professionals and IS auditors have spent so many years advocating “better” passwords that it is hard now to see their flaws, but flaws there are. They give you protection, but in fact it is just a feeling of protection. That wonderful, warm sense that you’re safe and secure is all a pretense. Passwords are a form of shared secrets, useful only if they are secret. But you have a lot of things working against you, compromising the real security that you think you’re getting. For one thing, with all the passwords flying over all the networks, somebody who really wants one can get one—one of yours, that is. For another, hackers really do have ways of cracking password files and extracting them. Not from every system, to be sure. But, like so many users, you need to have some sort of mnemonic to remember all your passwords. So you use your dog’s name, your birthday, a classmate from school or something else you will not forget. And, thus, once a password is cracked on a weak system, along with a universal identifier like a credit card number or a social security number, it can be used to enter a stronger system. Even if you are really careful when you choose passwords and use them, you cannot remember them all; there are just too many. So if you are like me and most other users, there are only two alternatives: make them all the same or write them down. Since different places have different formats for their passwords, you cannot make them all the same, so you make most of them alike and write down the rest: the worst of both worlds! In the interest of security, you are forced to change your passwords, but on different schedules, so it becomes impossible to remember them all. Hence, you write them down. Of course, I’m sure you don’t write them down on a piece of paper and put it in your wallet; you probably have a list in a file on your PC. And I wager that the name of the file is password or similar. This way, when your system is penetrated, the hacker will get all your passwords in one neat package. (The astute student of grammar will note that I have been switching between voices, I and we and you. I know that I am at fault with password misuse, and I know that many others are as well, so I’m including you, too. If you have not been guilty of password overuse, you can skip this article. For the rest of us….) The first step is to recognize that you have a problem. If you’re not sure about that, consider what would happen if your hard disk crashed and your password file were wiped out. How many systems, how many sites would you be unable to reach? What would you do? Whom would you call? If you are not comfortable answering these questions, you have a password problem. It is easy to acquire a password problem. For many of the web-based activities that you want to partake in, a password is required. For many of the platforms you need to access at work, a password is required. You are not collecting passwords, you are adding functionalities, but the result is the same. You cannot blame the system designers; they are mandated (perhaps by a security standard only a few years old) to provide protection for their systems, protection prescribed as passwords. And you cannot blame the web sites either. To them, it is just a business and you are a customer, a willing customer at that. Many web sites protect your password with SSL, and that is indeed potent protection. In this case, you do not just feel secure, you are secure, but only while you are running under SSL. The password you enter is safe, unless someone else gets it first. It is like having the world’s best lock on your front door and then handing out the keys. Fortunately, the outlines of the solution are becoming apparent. In the near future, I am certain we are going to replace passwords. Maybe a better way to put it is that we’re going to replace all those passwords with just one. Only it won’t be a password as such. It will give us the same access we have, maybe better, but we will not have to remember anything, will not have to write anything down. It’s called a certificate. Of course, certificates are not a perfect solution. They come with their own bag of problems, but it is a much smaller bag than the one carried by all those passwords. The point is that a certificate—a digital string using cryptographic functions to ensure identity—gets a trusted third party to vouch for you. Everybody who can read the certificate knows you are who you say you are, that you can do what you say you can do. But until everybody has certificates, until everybody (or at least a lot of us) is using them, passwords will persist. They exist because we have made them exist and they will not disappear until we all realize their weaknesses. We all have to get in with certificates or we will all be left out. It is a new way of doing things, a new order. Of course change is scary. But all those passwords you are carrying around are pretty scary, too. Steven J. Ross, CISA a director at Deloitte & Touche, welcomes comments at stross@dttus.com.