Christopher Frenz, CTO, See-Thru | Curtis Staker, president & CEO, Confident Technologies
September 04, 2012
Debate

Debate: In light of recent breaches, passwords remain a useful

Debate: In light of recent breaches, passwords remain a useful method for authentication.

FOR

Christopher Frenz, CTO, See-Thru

The security of passwords has been called into attention quite a bit within the last several months, thanks to highly newsworthy breaches occurring at major websites like Yahoo and LinkedIn. Yet these attacks do not necessarily illustrate that passwords themselves are insecure, but are rather demonstrative that companies do not always take proper precautions in securing user passwords.  Companies need to ensure that all passwords are stored in a form that makes use of salted hashes and need to take measures to ensure that proper input validations and other security controls are in place to prevent and/or mitigate the effectiveness of attacks such as SQL injection. Without such controls in place, the data used for any authentication factor could be compromised – be they passwords or otherwise. This demonstrates one of the strengths of passwords, in that when a breach occurs, passwords are easy to change. It is certainly much easier to create a new password, or better yet passphrase, than it is to change the print on a finger or change the image of a retina.

AGAINST

Curtis Staker, president & CEO, Confident Technologies

The massive fallout from password breaches demonstrate that the current system of user authentication on the web is not sustainable or secure. Many organizations lay the burden of secure authentication at the feet of the users, telling them to simply choose harder passwords. Yet, users have proven time and again that their nature is to choose weak passwords and use the same password for multiple accounts. Instead, websites and online organizations should adopt newer authentication techniques that are both more secure and easier on users.

The availability of cloud-based authentication solutions today make it easy for websites to employ technologies that generate one-time passwords for users each time authentication is needed. The growing adoption of smartphones and tablets allow for more user authentication options, including “soft tokens,” image-based or pattern-based authentication on touchscreens, and even biometrics. All of these methods provide easier, yet more secure, forms of user authentication. 

From the September 2012 Issue of SCMagazine »
Related Articles
Related Topics

More in Opinions

Follow me on this, your security team includes non-security people

Follow me on this, your security team includes ...

A successful security professional will tap into an organization's entire employee base to get results. And the benefits will go both ways.

Me and my job: Marty Edwards, ICS-CERT

Me and my job: Marty Edwards, ICS-CERT

Marty Edwards' job is to coordinate efforts between the government and the private sector.

Debate: Is advanced malware no longer a problem when administrator rights are ...

In this month's debate, experts discuss if advanced malware is still a persistent challenge after administrator rights are removed.