Passwords are widely recognised by the security industry as no longer being fit for purpose. Yet at the same time they are ingrained into users psyche as being the ‘correct’ way to log in to applications and devices. This element of human behaviour, and our unquestioning acceptance of passwords, is the very thing that HeartBleed seeks to exploit. As a result, the bug has shone a bright light on passwords and their inadequacy – what learnings can we take away from the last week?
1. Passwords are hard to use and maintain. We’re told that for each individual application that we interact with, we should use a unique password. All very well in theory, but when it comes to remembering them it is a very different kettle of fish.
2. In order to address the fact that, unless you have an eidetic memory, it simply isn’t feasible to remember and manage such a multitude of passwords, we default to either using the same one for everything or something that is easy to remember such as our birthdate or Password1. The problem is that if it’s easy for you to remember, the chances are it’s not going to take a hacker long to work it out either.
3. Passwords are an economic cornerstone of the cyber underworld. Why? Because identity is a valued currency and it’s one that is accepted everywhere. Once a hacker has your password, as far as a website or app is concerned, they are you. So, whilst HeartBleed exposes big chunks of data known by a web server to hackers, passwords are the most obvious target because of their ability to provide access to everything that they are supposed to protect.
4. Without realising it, we’ve created islands of identity, both in terms of the business applications and devices that we use. With more and more apps downloaded every day, this isn’t a static environment. Just five years ago it wouldn’t have seemed possible that we’d be able to access the corporate network from our home PC, laptop, tablet and smartphone, yet now it is the reality in which we live. When bugs such as HeartBleed are discovered, unraveling these identity silos in order to ascertain the risk and potential ramifications is almost impossible, leaving businesses and users vulnerable.
5. We need an alternative to passwords. Without question we need a more modern way of being able to convey our identity to a server. Security Assertion Markup Language (SAML) is already pretty common. It allows you to log into a website without a password, instead using a system that knows who you are and generates a one off message, or token, in order to validate your identity and send this to the server. Known as ‘zero sign on’ it provides instant access to the service and delivers a seamless user experience. However, the website needs to support SAML technology in order for zero sign on to work. Rest assured, wide spread adoption is something that we’re working with the wider industry on!
New technologies and platforms mean that hopefully in the future bugs such as HeartBleed will hardly even be news. And they certainly won’t cause the panic that this one has. I dearly hope that in years to come, when reminiscing about the ‘old days’ that my grandson says to me, "Granddad, what’s a password?"