Passwords “will be around for the next 10 years”


23 Sep 2005

As debate rages over whether passwords are good enough to protect information from being intercepted, one security expert believes this form of authentication will be in use for a decade at least.

According to Simon Perry, vice-president of security solutions with Computer Associates, there are two reasons why passwords will remain – barriers to change and the need to assign security rankings to data based on its importance.

“We will see passwords continuing in mainstream use for at least 10 years,” he told siliconrepublic.com. Technology hardware presents one major hurdle. “It doesn’t matter what the alternative is, whether it’s smart cards or biometrics. The PC industry continues to think we want 3.5-inch floppy drives and not a fingerprint or smart card reader. Even if we say, ‘As of today the PC industry is going to start swapping that out’, the average PC user at home or in business takes five years to turn that around and put in an authentication mechanism. Combine that with the applications that have to understand this new form of technology and it makes the chances remote. “The second element in this is human,” Perry said. “People socially are very familiar with PINs and passwords so they’re resistant to change.”

Another reason why passwords’ shelf life will be extended is that introducing new authentication technologies would mean having to classify data according to its importance. “If we accept that biometrics or a smart card is a better form of authentication than a password, I should do a security classification that ranks my information into high security, medium or low,” said Perry.

He pointed out that the resulting challenge for security managers is one of risk mitigation. Businesses must make sure there is no gap between the capability of the defences put in place – and the cost involved in doing so – and the actual threat involved. “Don’t try and classify everything as high security because it’s not. If we apply really strong authentication [everywhere] we’re arguably overinvesting.”

He pointed out that as a security mechanisms, passwords work well in theory. Where this falls down is human behaviour, where people leave their passwords in places where they can be found, or else they choose passwords that are easy to remember – and by extension, easy for someone else to guess. “Passwords are actually fine in a lab. The problem of passwords is people. You can make an incredibly strong password that will never be guessed by a dictionary attack or a brute force attack, but you’ll never remember it.”

By Gordon Smith