The news this week that Last Pass has suffered a security breach is a reminder of why I am not a fan of the password vaults currently on the market.
Password vaults serve one purpose only and that is to make it easier for people to store their login
credentials centrally. They are not about making those credentials more secure. Yes, you will see marketing materials talking about encryption and the like, but at the end of the day all you are doing is consolidating your passwords and ‘securing’ them with just one master code.
People buy in to password vaults for convenience in fact Last Pass has the tagline ‘The last password you’ll ever need’. It is essentially the same as storing all your credit, debit and store cards, along with your driving licence and cash in a wallet. It seems like a great idea until it gets stolen.
For me, the root cause of the problem isn’t the password vault itself, but the password. Most of us tend to see the login screen as an obstacle that stands in the way of us doing what it is that we want to do. Anything that makes it quicker and easier to get through the process is welcomed with open arms. To illustrate my point, how many of you click the ‘remember this password’ when given the opportunity? I know I have.If we are being honest most of us are willing to make some form of trade-off between security and convenience, but we should not be expected to do so. Passwords continue to haunt our lives because organisations decide to enforce their use, and in most instances it is because they do so as they don’t know what else to do. As security professionals, it is our role to give these organisation choices, show them that there is a better way and crucially, put forward a compelling business case that will drive lasting change.
At the same time Last Pass has been hitting the headlines this week, so too has Tripwire for its attempt to solve the problem using Emojis. As a marking gimmick it has certainly succeeded in grabbing attention, and they seem to be heading in the right direction by trying to make login credentials easier to remember and leveraging the capabilities of mobile devices. But could such a solution viably replace every website, mobile app or corporate network that currently uses a password? Emojis might appeal to millennials logging on to a social forum, but would a silver surfer feel comfortable using them for their online banking? It may well be more secure than a password but I can’t imagine entering: smiley face, sad face, birthday cake and love heart to authorise a transaction from my corporate bank account!
Meanwhile, at the other end of the scale biometrics are promising to change the world, but unless you are a large bank with money to burn it is pretty much out of reach, and even then you have the issue of standardising on a biometric. This is the big challenge we as an industry face if we are going to replace something as ubiquitous as a password. We need to find something that has the potential to be just as ubiquitous in the future, otherwise, we will be stuck in the same old rut. There are more and more cybersecurity companies trying to find these alternatives, such as companies building Behavioral Biometrics to continue to record behavior and keystrokes when going through authentication processes, the aim of this intelligent system is to further secure private log-ins by learning the behavior of the owner, therefore hopefully locking out any threats that don’t meet the owners behavior.