"Hey Grandpa, tell me again the story about how you had to remember 53 passwords and they were all supposed to be different, and you were supposed to change them every 90 days.  That's a funny story!  I think you're making it up!"

 

 

I was just at an ISSA Austin meeting where Mark Thames of Toopher presented.  Great preso enjoyed by 125 atttendees.  So Mark asks the audience of security practitioners, "Who thinks passwords will be gone in 5 years?"  Maybe 3 people raise their hands.  Passwords are so ingrained in everything digital.  We are definitely not laughing yet.  


Mark had an interesting truism in his slides:  "Easy-to-remember passwords are bad passwords.  Hard-to-remember passwords are bad passwords."  So we not only have 53 passwords that should be unique, they should all be really tricky to guess.  That also makes them tricky to remember.


Sure, there are all kinds of solutions security vendors offer right now, like SSO.  SSO has got to be one of the most complicated simple solutions ever.  Every app demanding authentication, it's still scary hard to satisfy them all, including those legacy apps who had their own ideas about passwords.  Then there's the old "keys to the kingdom" issue, where with SSO if the bad guy compromises the SSO password they get into everything.


At the most basic level, authentication is about proving you are who you say you are.  Given human frailties at remembering 53 complex and unique passwords, second factor authentication becomes attractive.  Traditional second factor authentication, where you have to provide two proof points, can include something you know, like a password, something you are, like a fingerprint or retinal scan, and something you have, like a token.  With the second factor, the risk of a weak password is reduced, making the game almost tolerable for a human.  You can probably get away with a password you can actually remember with second factor authentication backing it up.


It's a good thing young, smart companies like Toopher are trying to fix this mess.   Computer authentication, at this point, remains tedious at best.  Personally, I'm looking forward to griping about how hard we had it back in the day, trudging 3 miles in the snow to the computer and then being challenged to prove I am who I say I am by every Tom. Dick and Harry application I happen to want to use.  Jeez.

trudging through the snow.jpg


On a more serious note, bad guys are doing a pretty good job with various tools and social engineering to pirate user passwords.  You might want to look at a SIEM solution for your business to watch for remote access attempts and failed access attempts. which are correlated with other anomalous behavior across the network, systems and apps to defeat the bad guys.  If that's the case, check out our Log & Event Manager product for 30 days free.