We're never going to solve the password problem when we aren't thinking about getting rid of the password itself.

1. PASSWORDS is Everything That is
Wrong with Security
Can System Be Manipulated...

2. We Are Due For Disruption In Passwords
Passwords are broken. It’s not the technical implementation or
the business requirements --- it’s the whole concept. It was
Fernando Corbató who created the concept of the password in
the 1960s. Startups have been talking about “disruptive
technology”. It changes the way things are done in a given
market and can be taken as a form of a new technology taking
the place of an existing one, or a similar product that operates in
a unique way which can bring huge returns for companies.
2

3. The Server Side Problem: As security professionals, this is what we talk about most. How do we
accept passwords, encrypt them in our databases, and prevent other people from stealing
them? At Cigital, we have devoted everything from blog posts to a computer based training
course on how to secure passwords. It’s hard to do and even if you do it right, it’s only half the
problem.
3

4. The Client Side is the polite way to
say humans. You see, good
passwords are hard to remember.
Since they are hard to remember,
they’re likely to be written down
and/or reused on multiple systems.
If one person doesn’t get the
Server Side Problem right, the
attacker finds the password on
another system and reuses it on
yours.
The Client Side Problem
Back to the starting point, this method
is dated. We’re asking users to do
the impossible. We have hundreds
of passwords in Lastpass. In 1964,
when passwords were created,
there were about 20,000 computers
in the world. For sure the creators of
the password didn’t think of a use-
case for having to create and
remember 100 passwords per
person.
Passwords isn’t about good training
or beating people into submission. It’
s about being reasonable. And
today, passwords are no longer
reasonable.
4

5. The problem is that we’re not
thinking about fixing the password
problem. When a company
decides to create a new
application, they don’t think about
whether to use passwords or try
something else. (Caveat for
companies that use single sign on
or OAuth to authenticate against
other systems which use
passwords.)
The Assumption Problem
Business Analysts aren’t typically
tasked with finding new and easier
ways to have their users
authenticate. We make an
assumption that one of the currently
accepted standards will be used.
While we may improve the backend
security over time, we’re doing almost
nothing to improve the human
element.
In fact in the name of security, we
often make it harder for a user to
create and remember passwords by
adding upper, lower, numbers,
special characters and continually
increasing the length of the
password.
5

6. A Way Forward
You will be impressed by what Yahoo Mail did when they decided to get rid of
passwords.
If you read carefully, all that Yahoo has done is removed the password and
instead uses a token — similar to the Google Authenticator or Duo Key. Note that
while Google has the same technology, they still require you to enter a
password in first and then enter in the token.
In the world of authentication, we break it down into three categories:
➢ Something you know: a password, your mother’s maiden name.
➢ Something you have: your phone, a token.
➢ Something you are: a fingerprint, iris scan.
6

7. ● Something you know: a password, your mother’s maiden name.
● Something you have: your phone, a token.
● Something you are: a fingerprint, iris scan.
When you pick from two in the list, we call it two-factor authentication. When we talk about passwords, we’re
talking about something you know. Yahoo has swapped out something you know with something you have
(the app running on your phone). While we’ve reduced the risk that someone will steal my password and
login as me, we have increased the risk that someone can pick up my phone and use my authenticator app.
7

8. Passwords Need
To Evolve
Password breaches affect thousands if not millions
of users while stealing someone’s phone affects one
user.
It is not suggested that this is the way every
organization should go. It is merely implied that we
should rethink our assumptions around passwords.
For many industries, this won’t be easy. Regulators
are very comfortable with passwords (even though
they probably shouldn’t be). Chief Risk Officers and
Internal Auditors likely aren’t excited about this type
of change.
Passwords need to evolve. Until we as an industry
help the evolution, we will stuck with 100s of
passwords to remember… or one because we re-
use it everywhere.
8

9. Jay Schulman is an Information Security Consultant living in Chicago who loves to talk and write.
He is currently working at Cigital and has 17 years of experience in information security. Join
him in his weekly podcast as he discusses on how to Build A Life and Career in Security.
9
Subscribe To How To Grow Your
Security Career
Watch The 14 Best Videos To
Grow Your Security Career
Got Questions? Get Support!