RSA’s annual security conference was held in San Francisco the first week in February. I had other commitments and didn’t get to go, but Tom was there. So was Bill Gates; he gave the keynote speech again this year. And one of the things he talked about in that speech was the password problem. You can read about it here.
You can watch a webcast of the entire speech here.
So what’s the problem with passwords? Well, for starters, most of us have way too many of them. We have passwords to log onto Windows, passwords to access our email, passwords to log onto various subscription-based web sites, passwords to open protected documents, BIOS passwords to boot our computers, and so forth. Somehow we have to remember each of these, and that’s not even counting the PINs to use our ATMs, security codes to arm and disarm our alarm systems, codes for retrieving our voice mail, etc. Some of us also have electronic locks on our doors, safes with digital locks, and more. It’s enough to drive you batty.
Some people deal with it by having only one or two passwords and PINs that they use for everything. Not a good idea from a security standpoint. If someone manages to crack that one password, they have access to everything. Others keep a nice, organized (password protected) list of all their passwords. That’s not much more secure – again, all an intruder has to do is get access to that list and he has the “keys to the kingdom.”
You can use password management tools such as Roboform, Comodo i-Vault, XP Password Manager and others to store your passwords. There are free password management utilities available, too, including KeyWallet, Access Manager, and Secure Data Manager (SDM).
While these tools address the problem of password proliferation, they don’t do anything about the second problem with passwords: they are inherently vulnerable to compromise. Always using strong passwords helps, and I’ve written here in the past about how to make your passwords stronger and the advantages of using passphrases instead of passwords.
However, no matter how long and complex your password or passphrase is, in the end it’s still nothing more than a sequence of keystrokes. That means it will always be possible for an unauthorized person to replicate that sequence. And once someone else knows your password, there’s no technology barrier to prevent him/her from gaining access to your protected accounts. That’s why Bill – and many others – believe that passwords have got to go as the primary means of identifying users and giving them access to computer and network resources.
What about smart cards and tokens? (A token is a device such as a USB key that has to be inserted to gain access). That’s certainly a step in the right direction. But there’s a problem with such devices, too – they can be lost or stolen. So cards and tokens are usually paired up with passwords or PINs. This gives you a form of multi-factor authentication and it’s been in use with ATMs for decades. You have to have both the card and the password to get access. This solves the problem of someone who steals or finds a card being able to get into your computer and files, but it creates another problem. If you leave your card at home, you’re locked out. Using smart cards also requires installing a card reader on your computer. USB tokens are a little more convenient, since most modern systems have one or more USB ports built in.
That, of course, brings us to biometrics. Buying and installing biometric hardware used to be expensive and sometimes difficult to configure. However, prices have come down and many of the new laptop computers on the market today – including the Sony TXN25N/B that I’m considering buying next week – have fingerprint sensors built in. Sony also builds webcams into some of its laptop models that can use facial geometry software to verify your identity. Another method is voice pattern analysis; you speak into the microphone and the computer analyzes your voice and compares it to a sample on file to confirm that you’re really you.
Biometrics, like cards and tokens, can also be coupled with passwords for multiple layers of protection. HP and other vendors also offer biometrics- enabled laptops, and IBM was selling Thinkpads with fingerprint readers back in 2004 (before they sold the brand to Lenovo). If your laptop doesn’t come with biometrics capability, you can add it via a PC card.
But how reliable are biometric systems? There’s been a lot of improvement in recent years, but it’s still possible to get false negatives (the system rejects your fingerprint or voice as not belonging to you) and false positives (the system accepts someone else’s fingerprint or voice as being authentic when it’s not). Short of DNA testing, retinal scanning is one of the most reliable biometric methods, with a reported error rate of 1 in 10,000,000. Iris scanning is also highly reliable (error rate: 1 in 131,000). Fingerprints and voice analysis, on the other hand, have error rates of about 1 in 500. For a comparison of different biometric methods, click here.
Despite the possibility of errors, there’s no question that biometrics are a lot more secure than other authentication methods. Many states already use fingerprint technology on driver’s licenses, and of course, law enforcement has used fingerprints as a means of identifying suspects for many, many years. The U.S. government is using facial recognition, along with fingerprinting, for immigrants and in homeland security applications.
A move away from passwords to more secure authentication methods could help to lower the incidence of identity theft and reduce the threat of break-ins to computer systems and networks. However, some people object to the added inconvenience of carrying around a card or token and to the intrusiveness and/or lack of privacy with biometric methods. Another big factor is the cost of installing all the hardware and software required to use more sophisticated methods.
Tell us what you think? Are passwords passé, or are they good enough? Should we be moving toward a model where a card or token issued by the government or some other centralized authority is required, especially for financial transactions online? Are you uncomfortable with the idea of having your fingerprints or facial structure scanned in order to log onto your network accounts, or would such technology make you feel safer from identity thieves (or both)?
Deb Shinder, MVP