2013
05.04

The password is redundant


I recently read an article on ‘the password is redundant and bankrupt’ here:
http://www.smh.com.au/technology/technology-news/could-facial-recognition-technology-destroy-redundant-and-bankrupt-passwords-20120130-1qp7h.html

Whilst this article does a good job of describing the pitfalls of a traditional password from a user experience perspective and the exciting potential of user authentication for the future there’s also the ever growing list of signs that the password is redundant and becoming more and more inherently insecure from a security stand point.

As more and more services are pushed into the cloud and ‘software as a service’ offerings are increasing and becoming more and more rapidly adopted as well as integrated with each other, so are botnets across the internet, not to mention the exponential growth in phishing/whaling/social engineering spam attacks. What was once script kiddies and curious adolescents in their parents basements has now become organised. Companies now exist in parts of the world where employees are recruited and incentivized (with annual leave and bonuses) to run ‘hacking campaigns.’ It’s also almost every second day now that you read about another <INSERT ONLINE SERVICE> that has been hacked and those are only the ones you hear about, on top of this, how many more don’t even realise they’ve been hacked or will publicly admit this?

Ok, I’ll admit maybe I’m being a little bit paranoid, but if you saw half the web/firewall/security logs I’ve seen, the threat is real and certainly isn’t getting any smaller and most people will agree nowadays that the traditional password for authentication is redundant. Most people by now would’ve experienced either first hand or as a recipient someone who has had their <INSERT ONLINE SERVICE ACCOUNTS> being hacked and spam/phishing email being sent out to their entire contacts address book. Whilst this may not have happened to you yet, I can almost certainly guarantee you would’ve received one of these spam emails from someone you know or perhaps even to someone closer such as your immediate family who might even have personal information of yours. (It happened to my mom in South Africa)

Indeed online theft has surpassed and has been a much bigger industry that physical theft for a while now. It allows anyone anywhere in the world to easily and instantly cross borders and exploit vulnerable online accounts 24hours a day, 7 days a week, stealing information and even committing online identity theft. I have been a victim on this myself (our mortgage provider lost all of our personal, sensitive and original financial documents) I can tell you this was not fun.

As such, as you can imagine I’ve been on a bit of a mission recently to enable 2FA authentication, SSL certificates and SSH public key authentication on any public facing services I now use, especially with regards to my own infrastructure, I would hate to fall into this predicament again and I would strongly encourage you to do the same.

No Comment.

Add Your Comment