The Rumors are True: Passwords are Dead

During the first quarter of 2013, Evernote, a note taking and archiving software company, experienced a security breach that forced it to reset some 50 million user passwords Many of the big name companies are discovering just that the era the passwords is over.

Image Source: Shutterstock

The End of Single Factor Authentication

When the threat vectors were minimal, simple password authentication was enough. Hackers didn’t have automatic access to password databases and perennial connection the internet was not the norm. Now with the advent of cloud computing, hackers are finding ways to leverage the distributed network model to increase the number of sophisticated intrusion attempts. With a good amount of money behind them, hackers have more incentive to find better ways to get access to personal information.

There are a few ways to manage network passwords. Passwords can be encrypted and saved in a hashed file which is not as vulnerable as plain text but still weak. Random String and Multi Encryptions passes are stronger. The problem with adding a random string is that if the string is too short or used more than once, it’s easily cracked. Multi-encryption means encrypting already encrypted data but there’s a question of just how safe it really is and when a supercomputer can get access to the information. Individually these methods are hackable but in certain combinations, they can provide helpful cover. That’s how the idea of two-factor authentication came to be.

Forms of Multi-factor Authentication

Combining user password with another factor adds another layer of security but it’s got to be the right kind of layer:

Knowledge – What the user knows such as a challenge question based on the users life
Possession – What the user has in his possession such as a hardware token that displays a random code
Inherence – What the user is can be the biometric factor, such as a fingerprint or retinal pattern

What to Consider

While multifactor does offer greater protection, there are a few caveats. Smart cards and biometric solutions are more advanced solutions that require additional assets. The smart cards are relatively inexpensive but like anything else, they can be lost or stolen, which can impede immediate access to a computer network. Biometric authentication does require special hardware but there’s no guarantee that fingerprints can be imitated or that retinal patterns don’t change with age.

Organizations that choose to implement this solution need to ask more than a few questions of vendors. Training of IT staff will need to be handled and if the learning curve is steep, deployment may take longer. Customization of the current network infrastructure needs to be addressed as it is unlikely that these solutions are just “plug and play.” If your industry requires any unique regulatory specifications, this modification will need to address them and work within them. That level of flexibility would probably be a deal-breaker for many businesses. The cost of support and future upgrades need to be integrated into the cost/benefit analysis in addition to knowing what kind of support the vendor will provide.

It’s not going to be an easy change but for industries that are especially vulnerable to potential attacks, multi-factor authentication isn’t the future, it’s now.