Are passwords dead? Still? Really? No kidding?
Tuesday, March 25, 2014 at 10:06AM
Jeff the IAM Guy in passwords dead multi-factor cracking

 

I'm in a writing group at my library. The group brings their brilliance a couple of times a month and we critique each other, and it's a wonderful thing. Even a part-time novelist like me can always use tips and hints.
We also trade the wisdom from very successful writers we like. Recently, one of our members brought up something I first heard in high school: never start a story with "the alarm clock rang." It's been DONE. Whatever clever thing you think you're inventing has been done to death. Whenever you think you're being original, try harder. 
So it's gotten very annoying to read, over and over and over, articles entitled "The password is dead." Everbody thinks they're being clever, apparently. An old friend of mine just gave a talk on "passwords are dead" in the UK. When I heard, I thought, oh crap, him too.
It's time to move on. In fact, I'm going to provide encouragement here to do so, by summarizing what all these articles say. Save yourself the time. Here we go.
We get it. Yes, passwords are easy to hack. Keyloggers steal the creds as you use them. Cracking programs figure them out (although a 3 strikes and you're out scenario takes care of that). Linked accounts mean a single compromised account can compromise ALL your accounts, including Facebook, Twitter, email, your bank, etc.
Observe some best practices:
Get yourself an email account for password resets that isn't your usual one. I have one just for registering for junk that might end up turning into spambot targets. And don't make it first-dot-lastname. Make it something stupid and random.
Don't use real answers for your security question. Mother's maiden name is a FINE question, as long as the answer you provide is something else entirely. Remember, a 2008 vice-presidential candidate's email got hacked because somebody clicked on Forgot Password and provided the easily-Googled answers.
Don't use common words, your wife's name, your kid's name, your favorite sports team as your password.
Don't keep using the same passwords over and over. When your password expires, don't go back to it. EVER.
Keep passwords long. Each additional character means another order of magnitude for crackers.
As an enterprise, consider multi-factor. IP address, device fingerprint, anything at all that can be used in conjunction with credentials is a good thing. 
 
There, all done. 

 

 

Article originally appeared on Identity and Access Management Framework Book (http://identityaccessmanagementframework.com/).
See website for complete article licensing information.