Tuesday, January 17, 2012

More on the Awesomeness of Passwords

Yesterday, we posted Why Passwords Are Great.

Today, the WSJ tech blog which takes the subject further.

Why Password Security Lives On (Wall Street Journal)

The WSJ post also links to the research paper (PDF) that spawned the recent, nuanced, views of what the password as an ID management technology has going for it, which is plenty. Any technology that is as ubiquitous as the password while also being as irksome, is performing a valuable service at a tolerable price.
Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats.
The part about them being essentially free requires qualification (which the authors offer), but that's a pretty impressive list.

But this is a biometrics blog. Biometrics don't need to supplant the password altogether. For the moment they can't at a tolerable cost. But here are two (there are more) instances where biometrics can and should be used to limit the risks organizations expose themselves to by over-reliance upon passwords.

♦ Databases of customer information should be biometrically protected. Protecting individual accounts with passwords is fine, but at a certain size, all databases of user/customer information should be protected with biometrics.

♦ Biometrics can also be used to overcome some of the limitations of passwords. In one sense, they can allow for more complex passwords that change more frequently and are hence more secure (i.e. fingerprint sensor on a laptop). They can also be used to return the simplicity of the PIN in use models where ease of memorization is important.