Static Passwords: Public Enemy Number One?

Thu, 19 Mar 2009 17:25:22 Z

Capturing and misusing static passwords to spoof the identity of the victim is an all-too-common component of internet crime. The password might be captured by keystroke logging, a phishing or pharming attack, or by compromising an entire password database.

Consumers have a multitude of online accounts and most of these accounts require a username and a static password. Rather than struggling with creating and remembering a unique username and password pair for each account, most people resort to reusing a single username/password making them vulnerable to yet another attack vector: the honeypot.

Human nature prompts us to choose a password that is easy to remember so many passwords fall to simple dictionary attacks. But even cryptographically strong passwords are vulnerable to keystroke logging or other Man-In-the-Middle attacks.

Why haven’t more robust authentication solutions replaced the static password? Is it the cost of development/deployment versus the cost of compromised identities? What are the barriers to adoption blocking these more robust alternatives to static passwords? We can’t have all users carry multiple smart cards for two-factor authentication nor can we expect them to go through hoops every time they want to do something on the internet. So how can we remove these barriers and stop using this (static passwords) prevalent yet vulnerable means of authentication?

Static Passwords: Public Enemy Number One?

Wed, 22 Apr 2009 02:49:30 Z

I agree that passwords aren't the best safeguards for security. Keeping a static password increases the chances of discovery and misuse by anyone who discovers it. As noted above, passwords should be periodically changed (rotated), and they should meet the following test for complexity:

http://www.microsoft.com/protect/yourself/password/checker.mspx

Harry Waldron, Microsoft MVP - Enterprise Security

Static Passwords: Public Enemy Number One?

Wed, 22 Apr 2009 09:53:39 Z

The problem with having multiple passwords could very easily be solved with something like OpenID . This ensures you can use the same ID on all websites that support it. Unfortunately many major websites don't support it (they say they do, but in reality they don't accept ID registered elsewhere).

Then when you have this OpenID, you can easily enhance the security of authentication, for example by using two factor authentication.

So technically, this problem can be solved. The problem is with the fact that the value (on the stock market) of many dot com companies is based on how many registered users they have (and user data, for targeted advertising), in other words, how many users they "own". Once wise CEOs will understand that it does not really matter where the users' passwords are stored, then life for us, users, will be much better and the internet will be a safer place.