Passwords: Real-world issues, tips and alternatives
by Mirko Zorz - Editor in Chief - Friday, 25 April 2014.
Per Thorsheim is an independent information security adviser based in Norway. He is the founder and main organizer of PasswordsCon, the first and only international conference on passwords.

In this interview, Thorsheim talks about the complexities involved in keeping strong passwords, offers practical advice for organizations and explores alternatives.

Breaches keep reminding us about the importance of passwords, yet cybercriminals keep using the same tricks to take advantage of the weak ones, and steal information from even the biggest of companies. Why is this still happening?

First of all it is important to say that very few, if any, large user/password database breaches we've seen over the past years actually happened because of bad passwords. The initial compromise happened because of SQL Injections or a wide range of other software vulnerabilities.

After the initial attack user databases have been copied by the attackers, and in quite a few cases those data have ended up for public display on various online services.

Although we have observed targeted attacks happening in the aftermath of such large breaches based on leaked credentials, my personal opinion is that such attacks have been both rare and limited in size given the total number of leaked credentials we've seen.

So why are these attacks still happening? Well, changing the world cannot be done overnight. A more real-world explanation: there are few risk analysis reports justifying the cost of replacing passwords with presumably more secure solutions.

Sometimes we forget that there will always be breaches. Threats, weaknesses, flaws, errors, vulnerabilities or whatever you'll name them, they will always be there. Fix one, find two more. Which explains my next answer:

What should organizations do?

Risk analysis. Period. We have to accept a certain annual loss expectancy, and put that into our calculations of maintaining positive and sustainable business for the future. Rather often we'll have to face that risk-reducing efforts just doesn't make it through the cost-benefit calculations for any organization.

A few years ago I participated on a panel discussion about introducing biometric authentication to ATMs and perhaps even payment terminals. From an isolated monetary view the current losses for banks in a european country due to ATM fraud was increasing every year. But considering only the cost of replacing them with new terminals that included biometric authentication options, current and estimated future losses would be the most economical option "in the foreseeable future". And that didn't include the full costs of changing the entire backend infrastructure to support biometric authentication!

On the other hand financial authorities and financial institutions in this specific european country didn't just look at the isolated monetary losses due to ATM fraud. They also included the possible risk and cost of customers losing trust in ATMs, and instead demanding physical bank offices to open up again. As we should all know by now running a staffed branch office is quite a bit more expensive than having ATMs and a smartphone app to do the job for you.

With that in mind, the risk of customers losing trust in any service you provide, current estimates said that biometric authentication could very well start appearing in ATMs over the next 5-10 years.

Businesses need to do their risk analysis properly, and at some point loss of public trust in products and services provided should become part of the equation. Obviously this is not something that can be done overnight.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th