“Out of Your Password Minder” Isn’t Just Good Comedy… It’s Also Scary as Hell

Have you seen the “Out of Your Password Minder” segment from The Ellen Degeneres Show? It’s been passed around for the last couple months and recently landed in my inbox. A colleague had been shown it during a training session with one of our technology partners.

I got a really good laugh out of it. But the more I thought about it, I began to see a larger point. The infomercial for the (unfortunately real) product, Password Minder, wasn’t just the butt of Ellen’s joke; it provided excellent social commentary on how people behave with regard to password security.

For those of us who deal with information security on a daily basis - and particularly IAM technologies such as Single-Sign-On (SSO) and Federated Identity - the humor is certainly not lost.

However, if you’re an information security professional at a business whose employees are exhibiting some of the behaviors portrayed in the infomercial, you’re probably not laughing. I just hope you’re not considering solving the password sprawl challenges by placing a bulk order of Password Minders for your organization.

In fact, there’s been a lot of buzz lately about the death of the password, including the rise of Social Identity (or “Social Sign-On” as discussed in Robert Block’s recent post). There have been a few other great articles of late discussing the evolution and next generation of passwords.

Gunnar Peterson at Dark Reading published a short article, “Your Password Is the Crappiest Identity Your Kid Will Ever See,” summarizing the situation with a humorous shot at the growing obsolescence of passwords. When you consider that your smartphone has the processing power to generate all of the various combinations of an eight character password in only a few hours, you realize that this assertion by Peterson won’t even take that long: “Some kid in 2045 will look at their parent and ask, did you really have to enter a password that many times?”

In addition to the growth of Federated Identity, which is already here and generally accepted, here are a few concepts that seem to be gaining momentum:

  • Fastwords – According to thought leader and security expert Dr. Markus Jakobsson, “The new structure permits a memory jogging technique in which a portion of the fastword is revealed to a user who has forgotten it. We show that this results in boosted recall rates, while maintaining a security above that of traditional passwords.” For example, the system could require you to recall a series of words that you associate with a given phrase based on predetermined logic.”
     
  • Biometric Authentication – Probably not new to most of you, this is simply the concept of using something biologically unique to you as a source of authentication. This involves using a fingerprint, retina/iris scan, facial geometry, speech pattern or signature for authentication purposes. The downside is that the technology and hardware are relatively new and adoption is not only expensive, but many employees find it unsettling that their biological features are being documented and tracked.
     
  • Device Authentication – Several companies now offer tokens via USB cards, and Google may even be working on something convenient like a ring that could function as the device. The trouble is that these can easily be stolen unless multifactor authentication is required, and the standards are yet to be defined.  However, if your mobile device could also serve as your authentication device, the promise of making this concept a reality will grow right along with the mobile market.
     
  • BYOiD – Aided by the consumerization of IT, this is a growing trend I already alluded to above with the concept of Social Identity as an authentication method. For one, it relies more on data and less on expensive technology or hardware so it shows promise of adoption for many use cases. It’s already widely used by online media and e-commerce. It’s also convenient for users - but only up until the point that businesses cross the “trust line” and begin to collect and leverage intelligence available through an employee’s or customer’s social media account.

Passwords are still the mainstay and probably won’t be going anywhere in the immediate future. Yet, how prophetic was Bill Gates in his 2004 RSA keynote when he said, “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."

Let’s just hope the good folks at Password Minder don’t sell a lot of units before the market finds a suitable replacement.