View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 15, 2014updated 22 Sep 2016 11:17am

5 things Heartbleed tells us about passwords

CBR has teamed up with Darren Gross, EMEA director of unified identity services specialist, Centrify, to examine just how we should be using passwords to ensure our safety online.

By Duncan Macrae

Passwords are widely recognised by the security industry as no longer being fit for purpose. Yet at the same time they are ingrained into users psyche as being the ‘correct’ way to log in to applications and devices. This element of human behaviour, and our unquestioning acceptance of passwords, is the very thing that HeartBleed seeks to exploit. As a result, the bug has shone a bright light on passwords and their inadequacy – what learnings can we take away from the last week?

1. Passwords are hard to use and maintain. We’re told that for each individual application that we interact with, we should use a unique password. All very well in theory, but when it comes to remembering them it is a very different kettle of fish.

2. In order to address the fact that, unless you have an eidetic memory, it simply isn’t feasible to remember and manage such a multitude of passwords, we default to either using the same one for everything or something that is easy to remember such as our birthdate or Password1. The problem is that if it’s easy for you to remember, the chances are it’s not going to take a hacker long to work it out either.

3. Passwords are an economic cornerstone of the cyber underworld. Why? Because identity is a valued currency and it’s one that is accepted everywhere. Once a hacker has your password, as far as a website or app is concerned, they are you. So, whilst HeartBleed exposes big chunks of data known by a web server to hackers, passwords are the most obvious target because of their ability to provide access to everything that they are supposed to protect.

4. Without realising it, we’ve created islands of identity, both in terms of the business applications and devices that we use. With more and more apps downloaded every day, this isn’t a static environment. Just five years ago it wouldn’t have seemed possible that we’d be able to access the corporate network from our home PC, laptop, tablet and smartphone, yet now it is the reality in which we live. When bugs such as HeartBleed are discovered, unraveling these identity silos in order to ascertain the risk and potential ramifications is almost impossible, leaving businesses and users vulnerable.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

5. We need an alternative to passwords. Without question we need a more modern way of being able to convey our identity to a server. Security Assertion Markup Language (SAML) is already pretty common. It allows you to log into a website without a password, instead using a system that knows who you are and generates a one off message, or token, in order to validate your identity and send this to the server. Known as ‘zero sign on’ it provides instant access to the service and delivers a seamless user experience. However, the website needs to support SAML technology in order for zero sign on to work. Rest assured, wide spread adoption is something that we’re working with the wider industry on!

New technologies and platforms mean that hopefully in the future bugs such as HeartBleed will hardly even be news. And they certainly won’t cause the panic that this one has. I dearly hope that in years to come, when reminiscing about the ‘old days’ that my grandson says to me, "Granddad, what’s a password?"

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU