Tuesday, March 7, 2006

Back to basics

In Information Systems, there are always trade-offs and contentions. There are also basic "rules of thumb" and best practices. Oh, and let's not forget basic human psychology. The problem is that various "industry leaders" seem to periodically forget these tenets and attempt to introduce something new.

The current in-vogue practice is to declare the use of passwords as "old school" and hint that it is the least secure method of protecting your information. Example: Microsoft wants you to switch to token-based authentication, claiming that we should give up using passwords. The truth is that they are only telling your half of the story. What's actually being done is they are not replacing passwords with token-based authentication. You still need some form of password (pin number, pass phrase, etc.) as part of your login process. Contrary to what the media has interpreted/spouted (yeah, even Gartner), passwords are still there.

If any system claims to be more secure by replacing passwords with such-and-such a method, I don't recommend that you buy/use it. Until such time that biometrics become more accurate (much fewer false positives/negatives) and secure, passwords will remain the foundation upon which to build highly secure control systems (keep in mind that this means: authentication, non-repudiation, and identification). For passwords:

  • there are much less control problems
  • inventory and distribution issues don't exist
  • controls over type, length, rotation, etc. are much more flexible
  • there are far fewer false positives than any other form of authenticaion (i.e., you don't get in by mistyping your password)

Passwords major drawbacks are:

  • there are far too many tools to create defeat password based systems. However, it's the old arms race again. Whatever form of authentication is dominant will be the one that is attacked the most.
  • People will take the path of least resistance and use the most easily remembered passwords, also making them the most easily guessed. However, there are available controls to counter this problem.

Tokens and biometrics have a long way to go before they replace passwords as the primary form of access control and authentication. Hopefully the hype will fade into background noise shortly.