Slashdot Mirror
Why Are We Still Using Passwords? (securityledger.com)
Here's some surprising news from the Akamia Edge conference. chicksdaddy writes:
[E]xecutives at some of the U.S.'s leading corporations agreed that the much maligned password won't be abandoned any time soon, even as data breaches and follow-on attacks make passwords more susceptible than ever to abuse, the Security Ledger reports. "We reached the end of needing passwords maybe seven years ago, but we still use them," said Steve Winterfeld, Director of Cybersecurity, at clothing retailer Nordstrom. "They're still the primary layer of defense."
"It's hard to kill them," noted Shalini Mayor, who is a Senior Director at Visa Inc. "The question is what to replace them with." This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called "credential stuffing" techniques, which use automated password guessing attacks against web-based applications... Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani Mayor said Visa is "looking at" biometric technologies like Apple's TouchID as a tool for making payments securely. Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.
"It's hard to kill them," noted Shalini Mayor, who is a Senior Director at Visa Inc. "The question is what to replace them with." This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called "credential stuffing" techniques, which use automated password guessing attacks against web-based applications... Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani Mayor said Visa is "looking at" biometric technologies like Apple's TouchID as a tool for making payments securely. Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.
The answers are pretty obvious.
Firstly, we still use them because there's no reasonable replacement. Duh.
Secondly, there's no reasonable replacement because of the way our computers work.
Passwords are essentially information held in a system outside the computer (your head), that can be used for verification. The problem is that humans aren't really good at remembering passwords, and we need so many of them, and they are infrequently needed.
All attempts at using computers to solve this issue have run afoul of the "general purpose computer" problem: because our computers do not address security properly, we cannot guarantee what software is running on the local hardware. We cannot guarantee the security of passwords held on the computer, or in an encrypted file, because it's so easy to download and run malware. No one keeps track of all the things run on the computer, and we can't even trust the people who supposedly *do* keep track.
One reasonable solution is to use hardware specific to the purpose that's *not* a general purpose computer.
If you had a piece of hardware - a thumb drive, for example - that was *not* general purpose and could not download and execute code, then that could be made pretty secure. It could hold a person's private key, have functions to encrypt, decrypt, and sign documents, and also pass out the public key. It could also download and install new keys, with the understanding that the base functions could not be changed.
There's some details involved: you need a way to securely backup the data, and you need a way to securely recover the data in various situations. Mostly, you need to save the data somewhere safe and write down a master password (one, a PIN of sorts) somewhere else.
The Mooltipass is pretty close. It generates strong passwords for each web site registration, and will fill in the fields for you when you go to log in.
That's not the complete solution, however. It should *encrypt* the password with the user's private key and the site's public key so that no one can view it(*), or even better use a zero-knowledge authentication process.
If we could somehow begin using a fixed-program computer - say, something the size of a credit-card calculator that requires a pin and that holds the information for *all* the cards in your wallet - we could get away from passwords.
We would also have a single point on which we could put *all* our effort to make secure.
Hypothetically, that one card would reduce credit card fraud to near zero. When you use the card you enter your PIN on the keypad, and the card generates a ShopSafe number tied to your credit account, valid for one purchase.
Take a look at the badges at high-tech conferences these days. It seems like the hardware shouldn't be that hard or expensive.
Could this be the next killer product from Apple? A hand-held thingy that's secure and ultra-convenient, that you use for payments (IRL and online) and password entry?
(*) Yes, ssh is not absolutely secure. Did you think all those cert authorities in your browser have been properly vetted?