07 May The Password Must Go
The world is full of good ideas and inventions that reflect the time when they surfaced. Only later we discover that they were actually very bad ones. Tobacco was something back in the day – until we discovered that it causes lung cancer and plenty of other problems. 100 or so years ago it wasn’t uncommon to placate your child with a drug that included heroin. In the early era of computers someone had to come up with a way to keep something secret in a computer shared with may. The password was born – something you (are supposed to) only know. Now is the time when the password must go the way of the Dodo.
If you are in anyway involved with the Internet – you must realise that your password has been compromised at least once. The wide ranging “oops” of Yahoo, LinkedIn and now Twitter have put your very secret jumble of letters, numbers, special characters in jeopardy. The secret is out – at least that one secret. And as people tend to gravitate toward convenience, this one secret has been reused in other places. Who can memorize all the different passwords we have in our private and professional life? No one, except perhaps a password manager – a software component designed for storing of passwords. So – reuse it will be the MO for most of the end users.
Economic impact of a password based authentication
Ok, I have quite a few viewpoints on how password is hurting our economy. And it truly surprises me that we still haven’t seen a globally accepted replacement for this technology that was invented decades ago. Yes, we’ve seen attempts by e.g. government issuing electronic ID cards to the citizens – well, Finland was the first one and since the launch of the eID in 1999 the number of active users still remains very low. PKi (Public Key Infrastructure) was all the rage in the early 2000’s and multiple countries launched their eID programs. So far only Estonia has been able to pull it off like a champion. But what are the real impacts for our economy of not following the passwords must go?
Didn’t see this coming, did you? Let’s go through this using an example very familiar to me. Italian food. It’s absolutely amazing, when you are visiting the country. But if you stay there for more than 6 months it begins to make you sick to your stomach – not literally. You just get bored of the all the same. Password is the entry into your services, and everyone is using one form or another of the password (here I include also social media identities like FB logins). Because it was already used in the Roman times? With the world of all-mobile, where do we stand? Password is the poorest of choices to implement if you’re building an omni-channel strategy – embracing your customers through web and mobile. A viable alternative is needed (and there are some very good choices BTW).
The inability of getting out of the password trench will also prevent you from developing new online services for your customers or citizens. If you think that you cannot put your idea into reality because passwords (or social media identities) are not enough to protect your services, you should investigate – there are plenty of alternatives even for global enterprises out there.
Plenty of studies out there tell you that yet another registration form with a new password is the quickest way to lose a visitor come check-out time. Yes, you can convert a visitor using a social media identity, but is that your bestest of options? And so far, the social media identities are just password based non-vetted identities and in practice, until you get a hold of a valid credit card number, almost useless. But not completely as they still work as a convenient first step conversion tool.
In a B2B case it’s the same, if not even worse. If you are seeking an outsourced / cloud service for your business and the first one offers Single Sign-On from your own network to their services and the second will require every new user / your employee to create a new identity and password… Which will you choose? Consider this question if you are providing an outsourced / cloud service for your business customers. Are you losing to competitors?
A simple fact – if someone else stores your secret, you’ll lose it. All the biggest breaches thus far have been about password databases being hacked into. My own secret has been pwned twice. (Wikipedia for pwned). In total Yahoo, LinkedIn, Twitter compromises are substantial. So – it would be safe to assume all of the Internet users have been pwned at one time or another. Depending on if you’ve reused the secret, the case of being pwned might be negligible – just annoyance really as you might have to change your password in 1-2 other services. But it might also create a long lasting problems for you. This is highly depended on what kind of authentication your sensitive services use. Think of online banking, insurance, utilities, healthcare – and if you reused your secret as the provider didn’t offer proper authentication alternatives. If your provider uses this weakest of the weak authentication (password), you might be in real trouble. For these types of services the password must go – now, please? Identity theft is a direct impact on your own economy – but also for service providers and they suffer losses through tarnished reputation, loss of customers and much more. Bad enough – it can end the business.
The password must go – but why hasn’t it?
Like blood letting, and tobacco, passwords have enjoyed decades of being good for you. Now the evidence is out there – they are not. If you go to a doctor for a flu and the doc suggests that it’s time to let the bad blood come out of you and takes out a sharp needle and several suction cups, you’d run. I hope. So, why is it still ok for online services to go medieval on their own customers?
And my catch – to learn about how companies have overcome this burden, gone from 0 digital to 100 digital with amazing success, how the regulatory landscape is pushing all of us towards strong authentication, and more importantly – what other alternatives are out there?: Come here: