If there’s one thing made abundantly clear by the frequent and continuing releases of web site passwords, it’s that passwords just aren’t going to work anymore. Even the best password tweaks (complexity, multi-factor, etc) can be hacked and leaked. It’s time to make passwords a thing of the past and switch to authentication systems like SAML coupled with hardened and centralized authentication and authorization systems.
What’s the Password?
Passwords are a relic of an earlier age, when we dealt with singular devices instead of dispersed systems and services. Thirty years ago, most people had just one or two endpoints with associated usernames and passwords: A bank account or two and maybe a work computer system. And most of our private interactions were done by voice on a phone, not over the Internet with a mobile or personal computer.
Inconvenient access meant that these systems did not lend themselves to be hacked. It was possible to steal someone’s account credentials and steal from their accounts, but this usually required in-person access. A thief needed to steal directly from the person (perhaps by snatching their purse or lifting their wallet) and then know which system to access and how to get to it. And work systems typically weren’t networked, so unauthorized use of credentials there meant a risky physical break-in. It’s not that these things didn’t happen, but the inconvenience and risk limited their frequency.
When computers were networked, it seemed logical to extend this account/password system to them. As a systems administrator in the 1990’s, one of my major responsibilities was enabling directory services like NIS/YP and NIS+ to allow a whole network of computers to share a common set of accounts and passwords. The risk inherent in allowing any user to log in to any computer was not lost on us, but the convenience was a major draw.
Then Came the Internet
Although it might have sounded like a good idea to keep using accounts and passwords for Internet-connected web services, this is a truly terrible idea. The Internet allows anyone, anywhere to interact with any service1. This makes account cracking a scalable and lucrative endeavor, since the risk of discovery and size of the “haul” is enormous.
Check out some of the password drops documented by Troy Hunt at Have I been pwned? and you’ll get a sense of the scale. Sure, many of these services were colossally stupid in their implementation, but those username/email and password combinations are out there in public now. No amount of useless free credit reporting is going to make up for the personal information exposed in these breaches.
Most sites have responded by requiring complex, but this might be even worse: Most users will pick one suitably-complex password and use it everywhere, increasing the risk if there’s a breach on any site. Others, especially financial institutions and internal business systems, are requiring users to change their password every few months. Again, this is actually a negative measure since users will likely pick an (easily-guessable) scheme like “[email protected]”, “[email protected]”, and so on.2
The best approach to the current world of online usernames and passwords is to use a password manager (I love 1Password) and keep a different, randomly-generated, complex password for each site. That’s what I do, but I’m not kidding myself. This is not a great a general-purpose solution because it requires constant upkeep and strict self-control to avoid re-using or exposing passwords. And if a site has poor security practices, my complex and unique password still gets exposed!
We Need Non-Password Authentication and Authorization
Last month, at the NexGen Cloud Conference, I sat down with the folks from Centrify and talked about their alternative approach to authentication, authorization, and access. The more I thought about it, the more I realized that this is the right approach, not just for business people but for all of us.
Like other companies, Centrify creates a centralized authentication system that third-party applications and web services can use to grant access. A user logs into the Centrify system (likely using a great password and security token) and can then access any compatible system with no passwords needed. Instead of the typical ID/password process, the SAML protocol is used to securely “open the door” and allow normal access.
This protocol is supported by most popular web services for business (including Amazon AWS, Box, Dropbox, Google, and more) and can eliminate the need for account and password management by end users. Stuff just works.
Of course, single sign-on systems like this have some inherent risk as well. For one, they’re only as secure as the initial authentication, so if your users use a weak password, bad guys can still get in. And once they’re in, they have everything: Single sign-on means they’re into everything, from Amazon to Zendesk! But administrators can focus on the single sign-on provider, making it as secure as possible, instead of relying on every other site to be secure.
Stephen’s Stance
Sure, single sign-on puts all your eggs in one basket. But this is vastly preferable to trusting that hundreds of third-party baskets are secure, especially when they prove on a weekly basis that they aren’t! It’s time to put distributed passwords behind us and switch to systems like SAML, both for businesses and consumers.
Image: What’s your password by Michael Moore. CC-by-NC-ND