I recently read an article on ‘the password is redundant and bankrupt’ here:
Whilst this article does a good job of describing the pitfalls of a password from a users perspective and the exciting potential of user authentication for the future there’s also the ever growing list of signs that the password is redundant and becoming more and more inherently insecure from a technological stand point.
As publicly available distributed cloud computing services grow bigger and more powerful almost as fast as botnets across the internet, we’ve got Moore’s law kicking in at the same time to boot. Now just about everyone has access to on-demand, pay as you go number crushing services on a very large scale. Nevermind everyone else jumping onto the bitcoin mining wagon these days building really powerful DEDICATED number crunching rigs, how easy would it be for them to install a copy of hashcat alongside? It’s also almost every second day now that you read about another <INSERT ONLINE SERVICE> that has been hacked and those are only the ones you hear about, on top of this, how many more don’t even realise they’ve been hacked?
Ok, I’ll admit maybe that is going a little bit far, but the threat certainly isn’t getting any smaller and most people will agree now adays that the traditional password for authentication is redundant, again from a technological perspective, having experienced first hand falling victim to having their <INSERT ONLINE SERVICE ACCOUNTS> being hacked and having spam email being sent out to their entire contacts address book. Maybe this hasn’t happened to you yet, but I can almost certainly guarantee you would’ve received one of these spam emails from someone you know.
Indeed online theft has surpassed and has been a much bigger industry that physical theft for a while now. It allows anyone in, oh I don’t know, say China or Eastern Europe to easily cross borders and exploit vulnerable online accounts even committing online identity theft. I have been a victim on this myself (our mortgage provider lost all of our personal, sensitive and original financial documents) I can tell you this was not fun.
As such, as you can imagine I’ve been on a bit of a mission recently to enable 2FA authentication, SSL certificates and SSH public key authentication on any public facing services I now use, especially with regards to my own infrastructure, I would hate to fall into this predicament again and I would strongly encourage you to do the same.