In-brief: Companies like Microsoft and Google have both unveiled initiatives that de-emphasize the traditional, static, alpha-numeric password in recent days. So is the password going the way of the horse and buggy? Don’t be so sure, says Robert Capps of the firm NuData. Capps thinks that passwords will be with us for the foreseeable future and that companies concerned about security need to do more than just find a more secure way to log-in.
Passwords to protect sensitive accounts on computers are almost as old as computers themselves. But, unlike the systems they protect, passwords haven’t changed much in the last fifty years. In fact, if recent studies of password behavior are any measure: they haven’t changed at all. But the need for passwords to secure sensitive systems and accounts is growing by leaps and bounds, as the advent of web-based services and applications, from social networking to online banking, has compelled all of us to create and try to remember a dizzying array of different alphanumeric codes. The Internet of Things, by all accounts, will push this trend into overdrive.
But this creates a conundrum, as individuals struggle to manage more and more sets of supposedly unique credentials that protect their access to accounts and sensitive data. Simply put: the more secure the password, the harder to remember. The easier to remember, the less secure the password.
Cyber criminals realize this, and they haven’t wasted time in taking advantage of it. Troves of leaked or easy-to-crack passwords open the doors to corporate networks or sensitive retail, banking or health accounts. Fraudsters also leverage leaked or stolen data to game password reset features, allowing them access to a sensitive account and the ability to set the password to one of their liking.
Many security experts and leading technology firms are of the opinion that the traditional, static password’s time has passed. More and more applications and services have offered users so-called two-factor authentication, in which a one-time passcode generated by a separate mobile application or texted to a user’s phone must be entered in addition to the correct password. Firms , including Apple, have also introduced experimenting with various biometric authentication tools, like fingerprint readers. Just this week, Microsoft introduced a feature for its authenticator app, allowing users to sign into their Microsoft account without having to enter the password at all. Google, also, has migrated to a “tiered security” model that demoted the password, treating it as just one piece of information that’s needed to access sensitive information or resources, rather than the only piece of information that’s needed to do so.
What is the future of the password? And what will replace it? To answer that question, Security Ledger sat down with Robert Capps, the Vice President of Business Development at NuData Security, which helps companies spot sophisticated (and unsophisticated) attempts to take over user accounts and otherwise break into sensitive systems and applications. Robert said that he’s no fan of passwords and that humans, inherently, are bad at creating them.
But that doesn’t mean that Capps is convinced that the world will do away with them any time soon. Instead, he said, companies need to get better at spotting the actions of fraudulent actors, including scams like the creation of “synthetic identities” that combine stolen and fictional data as a way to defraud banks and merchants. For example, noting when new accounts appear to be created by automated scripts rather than flesh-and-blood humans can be an early warning that a fraudster is afoot, Capps said.
Check our my full conversation with Robert in our latest Security Ledger podcast below or at Soundcloud. You can also listen to it on iTunes. As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.