cyber-thiefThe history of the use of passwords is long and rich. We can imagine a Roman sentry standing in rainy mist challenging a shape looming out of the darkness. But the use of passwords may well have started long before Rome ruled its empire. Perhaps the most remembered password in history is “Open Sesame,” the key to opening the cave where 40 thieves have hidden their treasure. Today, far more thieves are stealing passwords to get to the treasure. Now when we think of passwords, we generally associate them with computers. The first computer password is assumed to have been used at the Massachusetts Institute of Technology in the early 1960’s. It should not be altogether surprising that shortly thereafter came the first documented case of password theft. A researcher, frustrated by the limited amount of computer time he’d been allotted, found a way to print out all of the passwords stored on the system. He then used the purloined passwords to expand his time on the computer, and apparently shared them with several of his contemporaries.

CNBC just offered a commentary by Michael Chertoff, former head of Homeland Security, in which he wrote “A closer examination of major breaches reveals a common theme: In every “major headline” breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.” In support of that perspective Verizon’s 2016 Data Breach Investigations Report says 63 percent of confirmed data breaches involved weak or stolen passwords.

The single biggest shortcoming in reliance on passwords is innate laziness. In an ever more complicated world most people simply do not want to make their passwords challenging (12345 anyone? Password?). We also store them in easily accessible word documents, willingly share them, constantly re-use them, and only reluctantly change them.

In 2004, Bill Gates declared the password dead. What ensued must surely be one of the longer wakes in history. The password has yet to be buried, but we are gradually moving toward systems that may not eliminate the password, but will buttress it with a layered defense. The trend toward multifactor authentication uses an approach based on what the user knows— the password, together with something the user has, like a security token, and perhaps even who the user is, based on biometric verification.
Long live password plus.

By Tom Davis, SDI Cyber Risk Practice
October 11, 2016