by, Brian Spector, CEO, Certivox
When my team started to work on a paper about the vulnerabilities of usernames and passwords recently, I decided we would defy typical cryptography vendor behaviour. Instead of a technical whitepaper full of architecture diagrams and mathematical notation, I told my team I wanted them to do wide-ranging research to argue a cause, in order to support a business case. The material they researched became The Death of Username and Password, a unique new study launched exclusively at Parallels Summit 2013.
Tenfold shame
The paper explores ten core truths that show the weaknesses of username and password so clearly, that when I found out what they had unearthed, I frightened myself.
Did you know, for example, that the IEEE (Institute of Electrical and Electronic Engineers) – one of the most respected organisations in the world – lost over 100,000 user logins to hackers because it was storing username and password information in a file on its website? And that the areas of the site that were compromised potentially included sensitive Western military engineering data?
And had you considered that the speed and ease with which hackers can now access username and password files has so increased the volume of confidential user data being illegally traded online that this data now sells for next to nothing? (European credit card data, for example, will sell for around $3 per card on the internet – US and Canadian, a mere $1). Like I said, scary stuff.
Not just a consumer story
But it was the data on users’ real-world experience of actually using passwords that really made me wince, because its consequences aren’t restricted to consumers or hobbyists. Rather, it’s an issue for every single internet and cloud user, from the provisioning supplier to the individual end-user – and every party in between.
Users forget passwords. Consider this:
- · 64% of end users have written down their password at least once
- · 70% of people do not use a unique password for each website
More worryingly, users routinely pick passwords that are laughably weak, in an effort to increase their memorability. A recent security breach at Yahoo, for example, showed that thousands of users’ passwords were either “password”, “welcome”, “123456” or “ninja”!
What gives?
The world is perpetuating a login method that is inherently weak, has been repeatedly compromised, is single-handedly responsible for making the thousands of dollars’ worth of credit tradable on the internet for less than the price of a packet of cigarettes – and that everybody hates and finds difficult to use anyway.
Why? Well, read the paper first. You can download it here: https://certivox.com/death-username-password/ Then come and find me on Booth 704 and tell me.
Because I’m still none the wiser.
Our partner theatre/developer track
Come and hear what we’ve got to say here:
- · Partner Theatre – 5th Feb at 12:45 – Growing Your Revenues with Single Sign-On, Multi-Factor Authentication for the Cloud and Mobile – Frank Boening (CertiVox)
- · Developer Track – 6th Feb at 10:30 – Extending APS packages with Single Sign-On – Brian Spector and Gene Myers (CertiVox)