I recently caught up with cybersecurity expert Eric Vanderburg, the director of information systems and security at Geronov, to get his take on some of the problems with the username and password system and to find out if it’s time for a change.
A lot of people are saying passwords are dead — or that the very concept of passwords is becoming passé. What’s your take on this?
Eric Vanderburg: What it really comes down to is the difficulty users have accepting some of the alternate technologies. At the same time, a lot of legacy systems are still reliant on usernames and passwords. The problem is that people have to remember more and more passwords over time — sometimes it’s 40 passwords they’re trying to remember. They write them down. They use the same password for everything. They put them in a password management application, which potentially transfers the risk from a local computer to a cloud application. So I don’t know if I would say that passwords are dead, but they’re definitely in need of a replacement.
Click on the player below to listen to the entire Eric Vanderburg interview now:
But are password managers vulnerable to getting hacked?
Vanderburg: Yes, they are. If it’s on your local machine, you could potentially get infected by malware that has a key logger in it. As soon as you log into your password management app, the malware has your password and it’s going to extract the rest of the passwords from the manager and start utilizing them. If you use a cloud application, it may have protections but, if there is an attack on the cloud provider your credentials could be exposed.
What do you think about two-factor authentication (2FA), where login attempts to online accounts are verified via a second device owned by the user, such as a smartphone?
Vanderburg: 2FA is certainly better than just having a username and a password. However, at Geronov, we don’t recommend using text messages or email for 2FA because of the risk of interception. It’s relatively easy for cybercriminals to grab the plain text component of the information contained in text messages and email.
What do you think is happening in terms of new technologies like biometrics?
Vanderburg: The interesting thing about those technologies is that they’ve become a lot easier for users. When biometrics first came out, for one thing they were really expensive, and two, it required some sort of add-on hardware that users weren’t very familiar with. So there was all this extra training, and systems would break or malfunction and the users wouldn’t be able to do their jobs. But in the last few years we’ve seen things like iPhone and Android phones do fingerprint recognition, and Windows Hello offers facial recognition. And you don’t need to buy anything extra in order to use the feature. The software supports biometrics and that makes it a lot easier for users to adopt the technology.
Is there anything new under the sun when it comes to password management best practices? What advice do you have for people?
Vanderburg: I still like pass-phrases [for passwords]. Mine are long, goofy and convoluted. But you say it once or twice and you realize, ‘oh ya, I can remember this.’ And try to make each pass-phrase very different. People just like to substitute one word or something like that when creating new pass-phrases. But you’ve got to remember if a pass-phrase is ever exposed, a cybercriminal is going to try similar variations on that password later on.
Norman Guadagno is Chief Evangelist and Senior Vice President of Marketing at Carbonite. Portions of this interview were edited for clarity.
Password Photo via Shutterstock
More in: Cybersecurity
In my opinion, passwords are not going to be obsolete anytime soon. The problem is that there is nothing else available that is more secure. You can name many alternatives that bring simplicity to the end user like fingerprint, iris recognition, AI patterns recognition, but those are less secure. The odds for brute force are a lot higher than a long complex password. The problem with alternatives does not end there: every secure system can be compromised, so how do you renew it? You cannot renew your fingerprint nor your eye retina. As for the AI pattern recognition, it’s a new comer and promising but it has not been proven yet. What the user wants is simplicity and security, both. As Eric mentioned in this post, it’s risky to use a password manager since all your passwords could be compromised. So what about using a password manager that does not save or ask the user to enter their passwords? I know one that can do that, PasswordWrench. If someone’s account get hacked, the only thing they are going to see is password cards and some hints but not the passwords. They are secured because they’re inside the mind of the user. So we got here something that brings simplicity, can manage and create complex passwords and that is hacker-proof.