Idiots, Passwords, Luggage, and SaaS

IdiotIt’s just three weeks into 2014, and we have yet another sobering reminder of the sad state of password security.  Ars Technica was quick on the draw with the perfect response to a newly revised list of common passwords posted by SplashData, a popular password manager provider.  Seems the ultimate stupidity of using the word password as a password, has been quite literally replaced with what more or less an idiot would use on their luggage.  Except with a whole extra digit thrown in for good measure.  Of course, this isn’t a revelation of any sort – prior security breaches such as RockYou way back in 2010 revealed similar conclusions.  So there’s a healthy population of idiots with plenty of luggage out there, along with quite a few devout fans of monkeys and princesses, or perhaps monkey princesses.  With the explosion of cloud Software as a Service (SaaS) and the geometric growth of credentials across personal and work for any given individual, the problem no doubt will get worse before it gets better.  It’s the challenge of Enterprise Single Sign On (SSO) all over again.  Or is it?

The Splashdata announcement on its own will likely sell a few more password managers for them, and that’s not a bad thing.  If you’re not already using a password manager, you need to be.  Right now – you have 20 seconds to comply.  Think you don’t need one because your pneumonic brilliance has devised a particularly devious family of unique passwords?  You better think again, Johnny.  CorrectHorseBatteryStaple will not save you forever.  Hacks have grown in sophistication with advanced algorithms patterned after human behavior, and fueled by increasingly impressive rigs aimed at highly parallel brute force processing.  Dan Goodwin of Ars Technica said it best:

“The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.”

I personally have substantial respect for KeePass, especially considering it’s cheap as free.  But it’s not without its share of pain, not because of the interface, but rather the extremely high variability in acceptable passwords across any number of sites and applications.  With each new SaaS that pops in the market, it seems there’s a new set of special character exemptions I need to account for.  Not a problem for a studious engineer determined to maintain a robust credential solution, but another layer of complexity that the idiot with his luggage can’t be bothered with.

The problem of managing credentials across a number of federated systems is an old enterprise problem, seemingly answered by SSO.  Up until the cloud revolution, most of the federated systems were of the old monolithic variety – i.e. things like SAP, Peoplesoft, and Teamcenter.  Each aspired to take over the business but learned to coexist through market necessity – which prompted building in SSO capability.  It was a simple to answer to the obvious problem of too many people wasting too much time logging into too many portals.  Of course, SSO had a disadvantage in that a compromised master password could do considerably more damage.  So often SSO was paired with second factor authentication, smart ID cards and such.

Fast forward to today in Cloudsdale.  SaaS solutions are multiplying like tribbles complete with logins, but most don’t obey any standard SSO protocol.  Users are faced with more logins than they can reasonably deal with.  A number of SaaS SSO solutions (How’s that for a tongue twister?) have emerged like Okta, OneLogin, Centrify, and PingOne.  But only around 25% of SaaS applications are designed with SSO in mind, so in many cases these solutions default to being yet another password vault.

Overlay this problem over shorter password life driven by overzealous IT departments demanding 30 day rollovers on passwords, and it all quickly becomes a perfect storm that drives users to either A. cut corners where they can or B. waste a lot of time managing various complex passwords.  There has to be a better way.  Meanwhile, plenty of idiots are getting away with 123456 wherever they can.

It’s clear that the password dilemma is an arms race.  If that’s the case, then what’s the nuclear option?  Many thought biometrics would be just that, imagining a future of retinal scans and fingerprinting every time you ordered a latte or tried to access all files on Project Genesis.  But unfortunately, there’s a catch.  It’s easy to reset your password.  Resetting your retina or your fingerprints… that will probably hurt a bit.  So if you think about it, it is the nuclear option.  To wit, Dave Aitel wrote in USA Today:

“As Deloitte & Touche researchers noted way back in 2006, spoofing a person’s biometrics, particularly fingerprints (using lifted prints on gummy bears), is a legitimate threat. However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised.”

So yes, biometrics can’t solve everything – so the nuclear option is out.  Is there a good alternative, that’s quite not so nuclear –  sort of an orbital ion cannon type of solution?  Not yet, but you can bet many are working on that right now.  My guess: multi factor authentication with at least one factor being something that is added to your self – either surgically or something you swallow such that it is still replaceable.  Sound scary?  You bet.  Would love to hear your ideas in the comments.

In the meantime, make sure any idiots out there change the combination on their luggage.