• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About
    • Stephen Foskett
      • My Publications
        • Urban Forms in Suburbia: The Rise of the Edge City
      • Storage Magazine Columns
      • Whitepapers
      • Multimedia
      • Speaking Engagements
    • Services
    • Disclosures
  • Categories
    • Apple
    • Ask a Pack Rat
    • Computer History
    • Deals
    • Enterprise storage
    • Events
    • Personal
    • Photography
    • Terabyte home
    • Virtual Storage
  • Guides
    • The iPhone Exchange ActiveSync Guide
      • The iPhone Exchange ActiveSync Troubleshooting Guide
    • The iPad Exchange ActiveSync Guide
      • iPad Exchange ActiveSync Troubleshooting Guide
    • Toolbox
      • Power Over Ethernet Calculator
      • EMC Symmetrix WWN Calculator
      • EMC Symmetrix TimeFinder DOS Batch File
    • Linux Logical Volume Manager Walkthrough
  • Calendar

Stephen Foskett, Pack Rat

Understanding the accumulation of data

You are here: Home / Features / It’s Time To Move Beyond Passwords (Especially On Web Sites)

It’s Time To Move Beyond Passwords (Especially On Web Sites)

January 8, 2016 By Stephen 2 Comments

If there’s one thing made abundantly clear by the frequent and continuing releases of web site passwords, it’s that passwords just aren’t going to work anymore. Even the best password tweaks (complexity, multi-factor, etc) can be hacked and leaked. It’s time to make passwords a thing of the past and switch to authentication systems like SAML coupled with hardened and centralized authentication and authorization systems.

It's time to stop requiring every site to effectively manage their own passwords
It’s time to stop requiring every site to effectively manage their own passwords

What’s the Password?

Passwords are a relic of an earlier age, when we dealt with singular devices instead of dispersed systems and services. Thirty years ago, most people had just one or two endpoints with associated usernames and passwords: A bank account or two and maybe a work computer system. And most of our private interactions were done by voice on a phone, not over the Internet with a mobile or personal computer.

Inconvenient access meant that these systems did not lend themselves to be hacked. It was possible to steal someone’s account credentials and steal from their accounts, but this usually required in-person access. A thief needed to steal directly from the person (perhaps by snatching their purse or lifting their wallet) and then know which system to access and how to get to it. And work systems typically weren’t networked, so unauthorized use of credentials there meant a risky physical break-in. It’s not that these things didn’t happen, but the inconvenience and risk limited their frequency.

When computers were networked, it seemed logical to extend this account/password system to them. As a systems administrator in the 1990’s, one of my major responsibilities was enabling directory services like NIS/YP and NIS+ to allow a whole network of computers to share a common set of accounts and passwords. The risk inherent in allowing any user to log in to any computer was not lost on us, but the convenience was a major draw.

Then Came the Internet

Although it might have sounded like a good idea to keep using accounts and passwords for Internet-connected web services, this is a truly terrible idea. The Internet allows anyone, anywhere to interact with any service1. This makes account cracking a scalable and lucrative endeavor, since the risk of discovery and size of the “haul” is enormous.

Check out some of the password drops documented by Troy Hunt at Have I been pwned? and you’ll get a sense of the scale. Sure, many of these services were colossally stupid in their implementation, but those username/email and password combinations are out there in public now. No amount of useless free credit reporting is going to make up for the personal information exposed in these breaches.

Most sites have responded by requiring complex, but this might be even worse: Most users will pick one suitably-complex password and use it everywhere, increasing the risk if there’s a breach on any site. Others, especially financial institutions and internal business systems, are requiring users to change their password every few months. Again, this is actually a negative measure since users will likely pick an (easily-guessable) scheme like “[email protected]”,  “[email protected]”, and so on.2

The best approach to the current world of online usernames and passwords is to use a password manager (I love 1Password) and keep a different, randomly-generated, complex password for each site. That’s what I do, but I’m not kidding myself. This is not a great a general-purpose solution because it requires constant upkeep and strict self-control to avoid re-using or exposing passwords. And if a site has poor security practices, my complex and unique password still gets exposed!

We Need Non-Password Authentication and Authorization

Last month, at the NexGen Cloud Conference, I sat down with the folks from Centrify and talked about their alternative approach to authentication, authorization, and access. The more I thought about it, the more I realized that this is the right approach, not just for business people but for all of us.

Like other companies, Centrify creates a centralized authentication system that third-party applications and web services can use to grant access. A user logs into the Centrify system (likely using a great password and security token) and can then access any compatible system with no passwords needed. Instead of the typical ID/password process, the SAML protocol is used to securely “open the door” and allow normal access.

This protocol is supported by most popular web services for business (including Amazon AWS, Box, Dropbox, Google, and more) and can eliminate the need for account and password management by end users. Stuff just works.

Of course, single sign-on systems like this have some inherent risk as well. For one, they’re only as secure as the initial authentication, so if your users use a weak password, bad guys can still get in. And once they’re in, they have everything: Single sign-on means they’re into everything, from Amazon to Zendesk! But administrators can focus on the single sign-on provider, making it as secure as possible, instead of relying on every other site to be secure.

Stephen’s Stance

Sure, single sign-on puts all your eggs in one basket. But this is vastly preferable to trusting that hundreds of third-party baskets are secure, especially when they prove on a weekly basis that they aren’t! It’s time to put distributed passwords behind us and switch to systems like SAML, both for businesses and consumers.

Image: What’s your password by Michael Moore. CC-by-NC-ND

  1. Yes, I know, not everyone everywhere has equal, open access to the Internet ↩
  2.  I’ve seen many businesses (especially hotels) do this with their Wi-Fi, setting the password to “June2015”, for example. How exactly does this deter unauthorized access? I can guess what this month’s password is! ↩

You might also want to read these other posts...

  • Electric Car Over the Internet: My Experience Buying From…
  • How To Connect Everything From Everywhere with ZeroTier
  • Liberate Wi-Fi Smart Bulbs and Switches with Tasmota!
  • How To Install ZeroTier on TrueNAS 12
  • Introducing Rabbit: I Bought a Cloud!

Filed Under: Features Tagged With: 1Password, authorization, Centrify, NexGen Cloud Conference, NIS, passwords, SAML, security, SSO, Troy Hunt, web services

Primary Sidebar

Science is a differential equation. Religion is a boundary condition.

Alan Turing

Subscribe via Email

Subscribe via email and you will receive my latest blog posts in your inbox. No ads or spam, just the same great content you find on my site!
 New posts (daily)
 Where's Stephen? (weekly)

Download My Book


Download my free e-book:
Essential Enterprise Storage Concepts!

Recent Posts

How To Install ZeroTier on TrueNAS 12

February 3, 2022

Scam Alert: Fake DMCA Takedown for Link Insertion

January 24, 2022

How To Connect Everything From Everywhere with ZeroTier

January 14, 2022

Electric Car Over the Internet: My Experience Buying From Vroom

November 28, 2020

Powering Rabbits: The Mean Well LRS-350-12 Power Supply

October 18, 2020

Tortoise or Hare? Nvidia Jetson TK1

September 22, 2020

Running Rabbits: More About My Cloud NUCs

September 21, 2020

Introducing Rabbit: I Bought a Cloud!

September 10, 2020

Remove ROM To Use LSI SAS Cards in HPE Servers

August 23, 2020

Test Your Wi-Fi with iPerf for iOS

July 9, 2020

Symbolic Links

    Featured Posts

    Nimble Storage Rolls Out an All-Flash Array

    February 24, 2016

    Sony QX100 Lens Camera: Ruined by a Flaky iOS App

    October 7, 2013

    How Smart Is the Mondaine Helvetica Smart Watch?

    December 30, 2015

    How Fast Is It? A Storage Infographic

    October 29, 2010

    VMware’s Hardware Partner Strategy: Heads I Win, Tales You Lose

    February 11, 2013

    United Boeing 787 Dreamliner: Butt-In-Seat Economy Plus Review!

    November 13, 2012

    vSphere 6: NFS 4.1 Finally Has a Use?

    February 3, 2015

    On the Death of Innovation, or “These Kids These Days!”

    May 21, 2012

    Debit or Credit? Always Choose Credit!

    December 19, 2013

    Begun, the Patent Wars Have

    July 9, 2012

    Footer

    Legalese

    Copyright © 2022 · Log in