Bury the username/password
Stronger identity technologies are needed to thwart hackers
When it comes to that old reliable duo of username and password, perhaps it’s time to admit defeat. After all, it’s pretty clear that we remain stuck in a cycle of failure. Because we are all too human, we perpetuate it with even more failure.
A recent news release about a technology research study at Dartmouth should provide further motivation for anyone who has been the target of a data breach or who will be targeted. Not to put too fine a point on it, but that’s just about everyone – businesses and individuals.
Here’s the bottom line: Researchers at the Dartmouth College’s Institute for Security, Technology and Society (also known as ISTS) have embarked on a year-long study to determine the weak links, vulnerabilities and economies of scale that have led to the data breach epidemic. For those who need reminding, that would be catastrophic data breaches to companies such as Anthem, Sony, Target, Home Depot and so on.
The study is being done in conjunction with the folks at the Manchester-based IT security company WWPass. The researchers are urging organizations of all sizes to eliminate identity schemes based on username and passwords combinations as a method of authenticating employees and customers. It’s about time.
In a sense, our collective mindsets haven’t changed from the mid-1990s, when the World Wide Web began to grow at a mind-blowing rate. Security is always top of mind for business owners and consumers alike, but collectively we don’t practice it enough.
What’s needed, the study said, is replacing the username/password standard “with stronger identity technologies opaque to attackers.” Those of us in the IT sector who work with clients to protect their networks and their data have seen this coming for a long time because hacker attacks are relentless and can afford a large margin of error. On the other hand, the margin of error for companies trying to protect their data – and that of their customers – is minuscule.
“When it comes to organizations trying to keep their data private, attackers always seem to win,” said Professor Sergey Bratus, Dartmouth’s lead researcher on the project. “There’s even worse news: Breaches have become merely a matter of scale; it appears that if attackers can scale up their effort, they win, no matter how unsophisticated they are.”
Not all of the attacks are malicious. We know of a health care company that was hacked primarily so gamers in Eastern Europe could use the company’s servers for greater gaming bandwidth. Still, the company was shocked it had been hacked and was concerned its client records were at risk.
For small businesses in particular it can be very embarrassing to be hacked, and they are often reluctant to admit it if they don’t have to.
An education client hired us after it had its entire system compromised and brought to a halt due to malware. Thousands of students were without report cards and teachers were unable to teach their lessons. But in the course of our work we discovered their security protocols were virtually nonexistent.
And if you are wondering, we do practice what we preach. We buried the traditional password system a while ago and among other practices (sorry not divulging specifics here) we use a random access generated password system. We also are keeping our eyes open to the next generation of behavioral analytics. The Canadian startup Inset is grabbing headlines in the industry with its analytics approach for a proactive tool of threat detection and smart security.
We are edging closer to a new era of eye and thumb scans and ever-changing passwords. There’s no question that it’s more challenging than the nonchalant time of 123 password entries. But being mindful and vigilant is better than leaving a cyber-door open to catastrophe.
Tim Martin, founder and CEO of Portsmouth-based Neoscope Technology Solutions, can be reached at firstname.lastname@example.org.