Debate: In light of recent breaches, passwords remain a useful method for authentication.
Christopher Frenz, CTO, See-Thru
The security of passwords has been called into attention quite a bit within the last several months, thanks to highly newsworthy breaches occurring at major websites like Yahoo and LinkedIn. Yet these attacks do not necessarily illustrate that passwords themselves are insecure, but are rather demonstrative that companies do not always take proper precautions in securing user passwords. Companies need to ensure that all passwords are stored in a form that makes use of salted hashes and need to take measures to ensure that proper input validations and other security controls are in place to prevent and/or mitigate the effectiveness of attacks such as SQL injection. Without such controls in place, the data used for any authentication factor could be compromised – be they passwords or otherwise. This demonstrates one of the strengths of passwords, in that when a breach occurs, passwords are easy to change. It is certainly much easier to create a new password, or better yet passphrase, than it is to change the print on a finger or change the image of a retina.
Curtis Staker, president & CEO, Confident Technologies
The massive fallout from password breaches demonstrate that the current system of user authentication on the web is not sustainable or secure. Many organizations lay the burden of secure authentication at the feet of the users, telling them to simply choose harder passwords. Yet, users have proven time and again that their nature is to choose weak passwords and use the same password for multiple accounts. Instead, websites and online organizations should adopt newer authentication techniques that are both more secure and easier on users.
The availability of cloud-based authentication solutions today make it easy for websites to employ technologies that generate one-time passwords for users each time authentication is needed. The growing adoption of smartphones and tablets allow for more user authentication options, including “soft tokens,” image-based or pattern-based authentication on touchscreens, and even biometrics. All of these methods provide easier, yet more secure, forms of user authentication.