Burying the password

It's time to bury the password. Passwords may well be the longest serving security tool in the history of humanity. Long before computers, people were using secret words. The only technology to come close to that record may be encryption.Encryption, however is only now coming into it's own as a standard defense against unauthorised access to confidential information - think about Windows, where only the latest incarnation provides any hard disk encryption as a standard part of the tool set.

Passwords, on the other hand, have been the bedrock of IT systems security since the dawn of computing. Virtually every computer system every produced (with the possible exception of gaming platforms) has provided for some kind of password protection, however weak this may have been.

Most of today's corporate networks are completely dependent on passwords to maintain security.

Yet passwords no longer work.

As security has progressed in both technology and awareness password requirements have become more stringent.

Network security policies are standard, defining user's behaviour, requiring password changes and complexity.

Users of a corporate network can now expect to have to change a network password every 30 days, each time selecting a combination of characters containing any or all of letters, numbers, capitals, non-standard characters such as question marks and exclamation marks, avoiding the use of letters in any pattern, or with a link to their name, network user name, company or other defined words. Dictionary words, even disguised as part of a password, are increasingly unsuitable. What was six characters must now be eight or even ten.

The other factor at play here is the other systems people access. Most users of corporate networks will have home computers, with multiple passwords for access to their PC, laptop, smart phone, web sites and and online applications. People now have to remember a huge number of passwords that change regularly.

It's not possible to do this securely. More and more, passwords are written down, forgotten, or created around patterns. More and more passwords are used on multiple systems, some of which will be less secure than your network.

Passwords also have a horrendous weakness: their users. 'Something you know' will always be subject to social engineering attempts.

Because of these weaknesses, the day of the password is over. Information on a system can no longer be protected simply with information in a user's brain.

It's time for something new. Something you have is no good (it can be stolen or lost). Something you know is no good (the same applies). The only remaining option is 'somthing you are'.

Fortunately, for one that walking security disaster, the human being, comes into it's own. What will always be unique, and remains very hard to steal: You.

It's time to retire the password, and make people the key.