Password Is Everything That Is Wrong With Security - PowerPoint PPT Presentation


PPT – Password Is Everything That Is Wrong With Security PowerPoint presentation | free to download - id: 7eaeef-YjBjY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Password Is Everything That Is Wrong With Security


Password breaches affect thousands if not millions of users. It needs to evolve. We are due for disruption on passwords. – PowerPoint PPT presentation

Number of Views:11


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Password Is Everything That Is Wrong With Security

PASSWORD is Everything That is Wrong with Security
  • Can System Be Manipulated...

We Are Due For Disruption In Passwords
  • Passwords are broken. Its not the technical
    implementation or the business requirements ---
    its the whole concept. It was Fernando Corbató
    who created the concept of the password in the
    1960s. Startups have been talking about
    disruptive technology. It changes the way
    things are done in a given market and can be
    taken as a form of a new technology taking the
    place of an existing one, or a similar product
    that operates in a unique way which can bring
    huge returns for companies.

  • The Server Side Problem As security
    professionals, this is what we talk about most.
    How do we accept passwords, encrypt them in our
    databases, and prevent other people from stealing
    them? At Cigital, we have devoted everything
    from blog posts to a computer based training
    course on how to secure passwords. Its hard to
    do and even if you do it right, its only half
    the problem.

The Client Side Problem
  • The Client Side is the polite way to say humans.
    You see, good passwords are hard to remember.
    Since they are hard to remember, theyre likely
    to be written down and/or reused on multiple
    systems. If one person doesnt get the Server
    Side Problem right, the attacker finds the
    password on another system and reuses it on yours.

Passwords isnt about good training or beating
people into submission. Its about being
reasonable. And today, passwords are no longer
Back to the starting point, this method is dated.
Were asking users to do the impossible. We
have hundreds of passwords in Lastpass. In 1964,
when passwords were created, there were about
20,000 computers in the world. For sure the
creators of the password didnt think of a
use-case for having to create and remember 100
passwords per person.
The Assumption Problem
Business Analysts arent typically tasked with
finding new and easier ways to have their users
authenticate. We make an assumption that one of
the currently accepted standards will be used.
While we may improve the backend security over
time, were doing almost nothing to improve the
human element.
  • The problem is that were not thinking about
    fixing the password problem. When a company
    decides to create a new application, they dont
    think about whether to use passwords or try
    something else. (Caveat for companies that use
    single sign on or OAuth to authenticate against
    other systems which use passwords.)

In fact in the name of security, we often make it
harder for a user to create and remember
passwords by adding upper, lower, numbers,
special characters and continually increasing the
length of the password.
A Way Forward
  • You will be impressed by what Yahoo Mail did when
    they decided to get rid of passwords.
  • If you read carefully, all that Yahoo has done is
    removed the password and instead uses a token
    similar to the Google Authenticator or Duo Key.
    Note that while Google has the same technology,
    they still require you to enter a password in
    first and then enter in the token.
  • In the world of authentication, we break it down
    into three categories
  • Something you know a password, your mothers
    maiden name.
  • Something you have your phone, a token.
  • Something you are a fingerprint, iris scan.

  • Something you know a password, your mothers
    maiden name.
  • Something you have your phone, a token.
  • Something you are a fingerprint, iris scan.
  • When you pick from two in the list, we call it
    two-factor authentication. When we talk about
    passwords, were talking about something you
    know. Yahoo has swapped out something you know
    with something you have (the app running on your
    phone). While weve reduced the risk that
    someone will steal my password and login as me,
    we have increased the risk that someone can pick
    up my phone and use my authenticator app.

Passwords Need To Evolve
Password breaches affect thousands if not
millions of users while stealing someones phone
affects one user. It is not suggested that this
is the way every organization should go. It is
merely implied that we should rethink our
assumptions around passwords. For many
industries, this wont be easy. Regulators are
very comfortable with passwords (even though they
probably shouldnt be). Chief Risk Officers and
Internal Auditors likely arent excited about
this type of change. Passwords need to evolve.
Until we as an industry help the evolution, we
will stuck with 100s of passwords to remember or
one because we re-use it everywhere.
Subscribe To How To Grow Your Security
Career Watch The 14 Best Videos To Grow Your
Security Career Got Questions? Get Support!
  • Jay Schulman is an Information Security
    Consultant living in Chicago who loves to talk
    and write. He is currently working at Cigital and
    has 17 years of experience in information
    security. Join him in his weekly podcast as he
    discusses on how to Build A Life and Career in