The End of Passwords?
& CEO -
Like the regular ticking of a clock, I hear the siren song
of “the end of passwords” coming from analysts and pundits on a regular
either in person or via the media.
We have also been seeing the publicity caused by the email
security of celebrities being compromised because the passwords they
deduced based on their public profiles.
In our business we see first hand how easily common
credentials (the same password on many systems) and uncontrolled
access have caused password-based access to be compromised and used for
unauthorized purposes (think Snowden).
Is it finally time to get rid of passwords? In September
2013 Apple released the iPhone
5S with a biometric sensor for fingerprint recognition as a way to
the need for users to type in passwords on their smartphones. There is
certainly a rich history of celebrities (and others) picking poor
their email accounts that has led to embarrassing situations, not to
the ongoing problems typing in complex passwords on a mobile device
real physical keyboard.
Biometrics may indeed signal the beginning of the end of
password entry for mobile users (at least Apple users), but passwords
going away for the rest of the world and especially infrastructure. The
biometrics for authentication opens up a whole new
realm of personal privacy issues that may be even worse than passwords
represent (thank you Gyle
Iverson CEO of CloudVaults for the link).
How Do We Get Rid of
Practically speaking, the issue is not so much that
passwords are bad or inherently insecure; the core problem is with
disclosures, and lifetimes. When humans pick passwords and are required
manage them, we make a compromise between convenience and security;
erring on the side of convenience. This convenience bias opens us up to
engineering and potentially computational decoding of our passwords.
The obvious method we have taken to solve the password
problem is to generate unique long passwords that are purely random and
them to every account we are supposed to manage. The nature of our
generated cryptographically complex passwords makes them infeasible to
and their constantly changing nature means that there is minimal
access (i.e. today’s password does not work tomorrow).
The idea that passwords are changed automatically after
and also periodically even without disclosure, means that a Privileged
Management (PIM) password is essential a one-time-password (OTP). The
an OTP is that a credential/password is good for one time only and is
as to when and how long it can be used. A secondary, but essential
characteristic of a PIM OTP password is that it is not only limited in
but also limited to only one machine where it will work. The
limitation exists because each machine has unique credentials for its
accounts (no common credentials).
OTP on Top of OTP
It is a common reality that internal machines can get
compromised with key loggers (that capture credentials) and remote
software. As such, every user name and password on the compromised
recorded and available to anyone with remote control of the system.
The only effective mitigation is to insert an extra step
that requires the real user to provide an additional authentication
that cannot be recorded and replayed. Generally the extra element is a
challenge such as a phone call, providing an SMS message delivered to
cell phone, or the code from a hard or soft token. In addition, smart
be used or a biometric reader can be used.
All of the other factors represent additional one-time
passwords or one-time passcodes (OTPs) in addition to the normal
to access a system.
In the case of access to a one-time password granted via a
system such as ours (firecall or break glass access), you would
into our system with a user name and password, whereupon you are
provide a second factor such as described previously. In effect, you
provide an OTP to get an OTP for privileged access.
New Release: ERPM
The new release of Enterprise Random Password Manager (ERPM)
releasing in September adds a lot of new OTP or multi-factor
(MFA) options. The most basic improvement in this version is the
generic RADIUS just for multi-factor authentication. This capability
you can now use pretty much any provider of multi-factor authentication
ERPM. Set-up is really simple and takes less than 5 minutes. All you
know is the address of the RADIUS server, shared secret password, and
format desired. Once configured, a user is first authenticated via
name and password (or integrated authentication), their user name and
additional requested challenge code is passed to the RADIUS server
challenges the RADIUS server to approve or deny the request.
We have also added two new native multi-factor
authentication providers including SafeNet’s
cloud and on-premises authentication server and PhoneFactor. While you can use
with both SafeNet and PhoneFactor, we and security experts prefer the
native integrations because they are more secure with less work.
Why are OTPs so Important?
The reality today is that anti-virus, firewalls, IDS/IPS,
and other legacy technologies simply don’t work very well against
attackers. Real security means understanding what the landscape really
realizing that any machine could be compromised and potentially become
jumping off point for both mapping your environment as well as for
Our PIM solutions do a great job of getting rid of common
credentials, managing service/application accounts, and also provide a
lifetime to privileged credentials, but if a compromised system can be
access our data, the outcome would not be good. To assure that only
can gain full access to our software, we STRONGLY suggest that some
form of authentication besides user name and password be used with our
To encourage the use of multi-factor
authentication, we provide many native connectors to the leading
no additional cost. If you can’t afford or don’t want the hassles of a
commercial solution or commercial tokens, we also provide a free
on OATH that allows the use of software tokens, hardware tokens and
via SMS the time limited token code to a user’s cell phone. If you want
to try tokens,
we even have a free hardware token offer from Yubico.
Going Beyond OTPs: Risk
When you interact with our PIM, we generate a vast number of
real-time events to both internal logs as well as external logging
the loggers are SIEM systems that not only incorporate our log output,
aggregate the events occurring from other parts of your network.
can be configured to correlate the activities of users among multiple
and determine if their behavior is risky or unauthorized. Given that
access is an important and potentially dangerous activity especially
unauthorized, we also consider the use of a SIEM with our product
latest version adds additional events and SIEM integrations.
We have also added and improved trouble ticket/CMDB
integrations in this latest version to further assure that unauthorized
is limited or eliminated by making PIM a part of an enforced ITIL
The Future of
Passwords are not going away because they are ingrained into
virtually every part of IT infrastructure. Our mission is to make
safe by making them unique, infeasible to crack, limited in lifetime,
accessible for the right reasons, by the right people, and only for as
they are needed. Even more important, our mission is to make the
a world of secure password easy and fast with minimal to no ongoing
effort to keep things secure.
The latest version of
our PIM solution scheduled for release
in September 2013 reinforces the tremendous effort we are performing to
your life easier and your environment secure. We are very proud of this
and look forward to your feedback.
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.