2004-11-16

Passwords a thing of the past? Let's hope not.

Bill Gates, in a recent interview with C|Net news, forecasted the end of password-based authentication as we know it. While at this point, the statement is nothing more than idle talk, we all know the influence Microsoft has on IT as a whole, and it should not be downplayed. This reflects a mentality at Microsoft, and frankly, it's one we should be wary of.

Mr. Gates took a big - and much needed - step when he announced Microsoft's trustworthy computing initiative last year. The argument that vulnerabilities are so prevalent in MS software due to its ubiquity isn't completely sound. Apache, the world's leading web server, has fared much better than IIS on that front. This was the result of a systemic, company-wide failure to properly address security concerns, and an overhaul was in order. But not everyone was convinced of Redmond's change of heart.

Situations such as this password issue only provide more fuel to pundits who immediately dismissed the trustworthy computing initiative as a diversion from their fundamental security problems. Even the most novice computer security professional has heard the phrase "Something you have, something you know, and something you are." This three-factor authentication should exist for the forseeable future, no matter how great a product Gates & co. builds. The reason is simple: in this day and age, only something you know can't be stolen. It must be guessed, or given away. Your name - something you are - can be discovered easily. Smart cards - something you have - can easily be stolen. Even commercial fingerprint scanning technology can be easily fooled with things like gelatin, and once a fingerprint is compromised, it cannot be changed. The only way to truly secure systems is with something that cannot be obtained without intervention of the user: their password. And I again concede, this can be guessed, but when combined with two other factors of authentication, it makes for a hard nut to crack.

The danger here is that Bill Gates's view and loathing of passwords could be infectuous. This paradigm could be easily shoved down peoples' throats in the form of Longhorn (the next version of Windows), and anyone in InfoSec will tell you that this is something users would love. No password to remember, and change every thirty days? What a glorious thing! Like electrons, users choose the path of least resistance in getting their computing tasks performed.

Microsoft, and more importantly Microsoft's policy-setters, must have a firm grasp on these sort of issues if their trustworthy computing initiative is to be truly successful. Unfortunately, when statements like "In time, we will completely replace passwords," are heard from Gates, one is left to wonder if trustworthy computing really only consisted of one-off code reviews and some notes in a marketing strategy meeting. Let's hope he's not serious.

1 comment:

Anonymous said...

I haven't read about this in detail yet, but I suppose it depends on how they intend to go about this. Promoting and getting the public familiar with key chain technology, and one password style systems like Kerberos (sp?) would go a long way to minimize load for users and allow the use of automatically generated passwords/keys with high levels of complexity (128 bits +).

But as you said, it certainly isn't time to dump passwords all together - yet. Overall, infrastructure would need to become more unified and more reliable before anything like this should even be considered - in my opinion. Having a reliable keychain seems a lot more useful in the short term as it is also a lot easier to verify that it is secure, as opposed to verifying that a whole OS or authentication architecture is secure.

-Kevin