Passwords are Dead. Bury Them. Throw Away the Shovel.

by George Peabody 0

Are We Listening?

No one wants to listen to a Cassandra. AndChicken Little is easy to dismiss. But if you’ve been sentientduring 2011 you already know that the security sky is falling. Manyof us have breach fatigue. We just yawn about yet another 200,000or 100 million compromised card accounts. It’s always someoneelse’s problem. Until it becomes our own. And given the recent pace- there’s Sony (100 million +), Citi (200,000), and Epsilon (100million +) – it’ll be hard to avoid the bad actors.

Information security is about layers that are used, in combinationsbased on risk and cost, to gauge the likelihood that a giventransaction is fraudulent. Today’s layers, however, have twoproblems. We employ too few of them and those that we have may havefatal flaws.

RSA’s SecurID token scheme has been compromised. Since RSASecurity’s intellectual property was compromised, hackers havetaken that new knowledge to attack military contractor LockheedMartin. RSA is now in the process of reissuing 40 million SecurIDtokens to its security-conscious customers including major, andminor, financial institutions. Between RSA’s inability toadequately protect its own assets and its leisurely response to thetheft, confidence in its value as a security vendor has to berattled.

Really, Really Dead

But, at the very fundamental level, we stillrely on a computer security approach that goes back to the dawn oftime: user IDs and passwords. Since that Period of CretaceousComputing, we’ve been admonished to change our passwords frequentlyand to use increasingly complex passwords, composed of six or morecharacters, upper and lower case, numbers, and special characters.All that has done is create a memory test for most of us and anincrease in Post-It Note sales where we write down these digitalskeleton keys.

Recent research demonstrates how futile our reliance on passwordshas become. “Brute force” attacks that try various combinations ofcharacters to “guess” passwords have been common but not especiallyeffective because the computing power required to try out all thosecombinations was comparatively slow and expensive. Brute forceattacks conducted by a desktop CPU are of the slow and expensivevariety, but a newer approach using using inexpensive GPUs,graphics processing units, is fast and cheap. A garden variety GPU,a desktop add-in card used for gaming, costs no more than $200. TheCPU operates at 9.8 million passwords / second. The GPU runs at 3.3billion passwords / second. The results are remarkable.

CPU vs. GPU Speeds




Five characters: fjR8n 24 seconds < One second
Six characters: pYDbl6 One hour, 30 minutes Four seconds
Seven characters: fhOGH5h Four days 17.5 minutes

We Need More

Yes, you can argue that remembering complexpasswords can be done without writing them down on slips of paper.You can argue that login security servers should lock users outafter three incorrect attempts and that there are stronger and moreelegant passwording schemes out there. But the fact is few of ushave them or employ them -particularly in the small and mediumbusiness world that is now getting equal attention from thehackers.

In other words, we need far more to protect our banking credentialsand data. Hardware at the edge, in the form of NFC-equippedhandsets, edge-authenticated biometrics, and much deeper dataencryption are among the places to start.

At some point, we have to stop kidding ourselves. This is asystemic problem. What size of a wakeup call do we need? And evenif that alarm rings loud enough, how do we respond? What we’redoing is clearly not working and expecting different results fromthe same behavior is, indeed, the definition of crazy.