The Password Isn’t Dead (Yet)
Let’s be clear: the password should be dead, but it isn’t. Most of us still type in several combinations of user names and passwords that are respected by the computer we log in to, the websites we visit, and the applications we use. Every once in a while we get lucky, and logging in to one thing – the computer, the smartphone, the tablet – confers logins on other things. It’s those things at the front door we’re most worried about though, aren’t we? The Windows login, the OS X login, the webmail and VPN login, the login to the password manager we’re dutifully using to ensure our passwords are kept safe and secure. Those things would be utterly awful to have compromised because one day someone got the password by hook or by crook.
Protecting assets with passwords is an archaic and risky proposition. We’re prone to forget passwords, so we store them in places they can be found (I’m looking at you, Post-It-note-stuck-to-the-monitor). We divulge them to others, either out of perceived necessity or without thinking, and often use passwords that are easily cracked if the records of their use fall into the wrong hands. I continue to stumble across spreadsheets kept on network shares full of employees’ usernames and passwords that include things I hope aren’t true. Simply having a password complexity policy seems to not be enough to thwart users trying to set an easy-to-remember password that is just as easily brute-forced by readily available tools.
The thing to do about all of this is to consider the ways a user can get into your network and make a password half of what’s needed to get in, or not a part of it at all. This is called “multi-factor authentication,” and it consists of pairing something you know (like a password, or a PIN) with something you have – a smartcard, a SSL certificate, an RFID tag, a smartphone with Bluetooth or NFC or a USB device like a Yubikey – just to cite a few. Your bank was smart enough to figure this out, and that’s why they want to verify your debit card (something you have) with a PIN (something you know) and that’s also why they probably verified you in some extra way when you tried to log in to your account from a new computer or internet connection.
Simply handing you a new sort of key to open the door to your computer, your VPN connection, your tablet or your website.