What
is wrong with passwords?
Passwords exhibit the following problems:
-
Lost: Security professionals tell us that passwords
should be difficult to remember and should never be written
down. An unfortunate consequence of these guidelines is that
users forget passwords. A lost password brings up two issues:
the user can't access the resources until he receives a new
password, and the process of obtaining a new password creates
a significant security vulnerability.
-
Stolen: When a thief obtains a user password, he can
access the user's resources. Getting a password is not that
hard: they are written down, they can be guessed through "dictionary
attacks", and they can be requested directly from the user
or from overly helpful help desk personnel.
-
Reused: Many consumers and even some employees ignore
the prohibition on reusing password. For their convenience they
reuse a single password for multiple applications. When a dishonest
administrator discovers the password used in one application,
he can use it with the other applications. It is a simple way
to steal passwords and is a very common security exploit.
-
Shared: Both consumers and employees commonly share
passwords. Consumers share subscriptions to paid services by
sharing passwords. Employees share passwords as a convenience
or favor. Sharing passwords increases the likelihood that the
password will be stolen. Sharing also reduces revenue for paid
services. Shared passwords also make auditing virtually impossible.
Although passwords have these well-known deficiencies, people continue
to put up with passwords. Until recently, there were no real alternative;
that is until the Sevan WSA™ web Identity Authentication™
appliance.
|