The recent Gawker breach, subsequent impacts, and response measures act as a reminder that continued reliance on out-dated authentication methods greatly enhances the threat of cascading security impacts.
Why so? Four basic reasons are at play:
1. Users value and increasingly expect the convenience of using a prime email address as their account id when faced with a vast number of sites/resources that they wish to access.
2. While some users do employ "cast-off" passwords for non-critical web-resources, the most pessimistic (and therefore most likely correct) view is that a large percentage of users employ a "personal ubiquitous password" everywhere they can. This password is invariably weak and often easy to crack.
3. With these ubiquitous passwords widely in use, the overall security of a collection of accounts can become transitive. It only takes one resource provider with lax security to jeopardize the entire chain.
4. Last but definitely not least, continued reliance on archaic "what you know" single-factor authentication makes this all so much easier. The bar is so low there really isn't any mitigation of risk when faced with reality #1, #2, and #3 and a password dump incident.
Why Password Management Practices Are Poor
Users want a simple, easy, and secure method for accessing their online web resources that doesn't require that they have an eidetic memory or that they have to take time to learning mnemonic methods (i know..it isn't that hard but still...). The truth is that fear of losing/forgetting credentials is greater for most users/customers than their concern over the potential for their accounts to be breached. So lowering the future risk to end-users from large scale password dumps is really a challenge of lessing anxiety over forgetting passwords along with increasing awareness of end-game impacts from poor password management.
Unfortunately, the latter stratagem of enhancing awareness and concern hasn't gotten us too far. In truth some elements of "security dogma" probably need to be re-examined and contextualized. To move us forward, greater effort needs to be focused on placing pragmatic password management methods/tools alongside out-of-band backup/recovery options which ease concern over losing access to online resources through forgotten credentials.
When people are more comfortable with the idea that they aren't going to lock themselves out of their accounts, then adoption of better practices can become a reality.
Post a Comment