The Password is Dead -- Long Live the Password

A password is a string of characters or words, known by a person, kept secret, that authenticates that person as being someone authorized to gain access to something. The idea of passwords is an ancient one: think of sentries for thousands of years yelling, “Halt, who goes there?  Give the password!" The first computer password scheme (probably) was implemented on CTSS by MIT around 1961.

Authentication is based on one or more factor from the list, "Something you know", "Something you have", "Who/what you are".  Think of a typical password, an authentication device like an RSA token or gridcard, and a fingerprint or retina scan.

I have ranted previously that the third factor is a problem, in part because if the digital representation gets stolen, that's it.  Game over.  You can change a password.  You can re-seed a token, or print off a new gridcard.  But changing your fingerprints is not readily accessible to most people.

Password storage ranges from bad to not-so-bad.  Users will memorize, use paper & pencil, keep them in a spreadsheet, etc.  If you can memorize good passwords, you're ahead of the game.  Some people use an encrypted vault like KeePass or LastPass, but there is a definite sacrifice of convenience in these.  Ah, well, everything's a trade-off.

I will be giving a talk about passwords at the Rochester Security Summit next Tuesday (Oct. 6, 2015) at 10:30 AM.  If you are not already registered for this event, why the heck not?