“If you do not change, you can become extinct !”
– Spencer Johnson, Who Moved My Cheese
For the time being, passwords are a fact of life.
We can reinforce them with other form factors and can use multi-factor authentication in many places, but we have passwords all over the place and that is basically not going to change for the foreseeable future. Something must be done to beef up the security of passwords in general (and of other credentials) to force the bad guys to ever greater costs and difficulty (and lower likelihood of success), and that is the spirit behind RSA’s announcement today of RSA Distributed Credential Protection. But before diving into that, let’s talk about the landscape and the problem scope.
The world of hacking is one of continuing maturity: the good guys get better and the bad guys (no matter how seemingly immature some are) get better in a race among intelligent opponents. It may be frustrating to some to live in a world where we can’t think in abstraction about the “problem of security” and come up with a universal “solution”; but to me, there is a degree of comfort in this. Security isn’t a single problem or challenge. It isn’t a passing fad, and it isn’t about the black and white of a clean binary solution. Instead, it’s a real world set of challenges that demands the most of what we can do as a society and for us to put our best feet forward.
It’s RSA Conference (Europe) time again, and I just remembered last year being asked by one of the journalists here “when will we finally solve this ‘security problem’?” I was surprised by the way the question was asked and tried to find a common ground, wondering if maybe there was a language barrier. I said that we had never solved the ‘security problem’ in any domain of Human endeavor, so why would computing and IT be any different. The journalist responded that we had, and cited physical security…and I asked the obvious follow up “do you feel safe anywhere in the world at any time doing anything?”
And then the journalist got it.
Threats are maturing in a new domain of Human interaction…and that requires a new perspective. The complexity of our interactions online is sufficiently large now that it really is like security in more traditional domains…never solved but actually manageable. Having said that, it isn’t a zero sum game, and it isn’t doomed to being a frustrating game of Whack-a-Mole. Instead, it requires a discipline and coordination and addressing all parts of the system.
I have seen some funny cartoons lately (one of them I love can be found here) about the typical response to the issue of weak or easy-to-break passwords:make them tough, upper case, lower case, numbers, symbols, etc. You know the formula, and then we add in the “e” word: education. Education and good passwords are important, but let’s be honest, when we do that right, passwords will still be weak and will still need to be made stronger.
And that’s where Distributed Credential Protection comes in. To the best of my knowledge, we’ve seen massive losses of passwords (and other credentials) that haven’t had to do with phishing end users, guessing their passwords or anything else. The single point of failure with highest chance of success and least cost is to grab the machine artifacts that are used as placeholders for passwords…why go after every user when you can knab all those delicious hashes and then apply a rainbow table look-up with a nice elastic computing service?
All points of the system have to be made more robust and tough and difficult to break. Why have one store, when you can split it? Why not apply all the tricks we, the good guys, have to make things much more difficult than the incremental one-upmanship that we seem to be stuck with or, worse, the slowing improvements of old platitudes posing as best practices and hiding behind the “e” word.
It’s also my belief that many dimensions of security have been overlooked in general, and it’s time for us to start re-opening the crypto toolkit and dig deeper into data protection; and it’s time to dive deeper into authentication itself…but more on that next time.