The cloudy world of passwords

With the growth of social networking, online media consumption and cloud computing, every day millions of people log in to a variety of different sites using a username and password or PIN combination. However, over the last few months there have been a number of high-profile hacking attacks that have pointed to the inherent weakness of the fixed password authentication systems that control access to these services.

Recent reports have highlighted the risks and flaws of static passwords and have suggested practical ways to improve password security and reduce the likelihood of a security breach. Suggestions have included changing passwords on a regular basis (e.g. every 30 days), using combinations of numbers and letters and mixing upper and lower case characters. However, these suggestions are really trying to make the best of a system that is fundamentally flawed, and I would say that such advice is comparable to proposing how to arrange the deckchairs on the Titanic as it sails full-steam towards the iceberg.

Static passwords have increasingly become the subject of a variety of malicious attacks, including shoulder-surfing, key-logging, screen-scraping and brute force “dictionary’ attacks. The cyber-criminals responsible for these kinds of attacks are constantly adapting and updating their methods and, as the number of users of online services continues to rise, now really is the right time for individuals and organizations to embrace authentication methods that offer better security and improved ease of use.

From recent phishing attacks targeting Twitter and Gmail to the news in February 2010 that Cambridge University scientists found a fundamental security flaw with the popular “chip and PIN’ system, every week seems to throw up yet another story proving that static passwords and PINs are past their sell by date.

With cloud computing-based services becoming the norm in today’s online world, and increasing amounts of data moving into the cloud, it is time for on-line service providers to start adopting identity authentication systems that are based on one-time passwords or passcodes. While it may not be possible to completely eradicate all phishing or other hacking attacks with a single solution, one-time password methods are generally more robust and have been proven to dramatically reduce this problem. They can also, depending on the method chosen, be cheaper than legacy password systems and can improve the customer experience of the web site in question. So by making this relatively simple and cost-effective change, organizations can reduce the number of potentially embarrassing security breaches while also saving money and improving customer satisfaction.