Asia's Source for Enterprise Network Knowledge

Thursday, April 24th, 2014

Information security management

Passwords aren’t dead, though yours could be

It's 2012. The password is dead. Long live the password.

Perhaps the division in the IT world is not quite that stark, but there is indeed division. Some think it is past time to retire passwords, for what they say is the obvious reason: They don't protect users, since they are so easily hacked. All the talk about making passwords more secure is ignoring the elephant in the room; they simply cannot be made secure. Besides, there are other, better, authentication options, like biometrics, since nobody has your fingerprints, eyes and DNA.
But others say not so fast,  that biometrics are not duplicate proof, and that passwords would still be fairly effective if users didn't make them so easy to hack and if password authentication systems were improved.
Christopher Frenz, CTO at See-Thru and a faculty member at Mercy College, both in New York, says the problem is, "not because of passwords being obsolete, but because of the prevalence of bad passwords and bad password practices."
He points to the 2009 SQL injection attack on the social media site RockYou that compromised 32 million user account passwords. "The only password security requirement was a password of at least five characters," he says, "(which) resulted in people choosing passwords such as 12345, Password, rockyou, and abc123," plus common dictionary words.
Besides that, the passwords were stored in plain text format, along with users' email addresses.
Frenz says some websites (Hotmail recently among them) now require more complex passwords with multiple character types.