Passwords must die.

At least, that was a theme of the Gartner Identity and Access Management Conference I recently attended. And you don’t have to be a security expert to see that our traditional system of “think of something you can easily remember” passwords is broken. Between guessing them, brute force attacks, keyloggers, socially engineered cons, and just breaking in and outright stealing them from a database as in a recent attack on Yahoo, users are in a difficult situation

For one thing, too many of us aren’t using strong passwords to begin with. This year’s breach of millions of Yahoo! Voice user passwords demonstrated our unwillingness to remember long, challenging combinations of numbers, letters and symbols –“password” was the most common password among those stolen. Another problem is that our passwords are only as effective as the security of the organization storing them. It does us no good to have the longest, most cryptic password possible if someone simply breaks in and steals it from our email provider. 2012 was littered with data breaches disclosures of stolen passwords and password hashes from major sites, including LinkedIn, Zappos, eHarmony and Last.fm to name a few.

There have been many blog postings lately on the value of salting passwords to prevent attackers from discovering the actual password values.  Salting is very effective tool when implemented properly to protect passwords, but the problems are bigger than salting the passwords.  Attackers are able to access the systems where the passwords are stored and once they own the system then they can pretty much do whatever they want to.  Most will take the entire credential database and try to break the encryption/hashing schemes.  In addition to that, a lot of credential stores also include various bits of information about the users that own the passwords.  Encrypting/hashing/salting passwords is not enough and corporations need to go the next step of not only treating these as highly sensitive crown jewels of the company, but putting the controls on these systems to prevent/thwart the attackers/attacks in the first place.

When news broke that passwords may have been compromised at some very popular web sites, I immediately thought “Where else am I using that same password?” I, like many others, sometimes reuse passwords even though I know better.  The last 48 hours of password leaks should serve as a wake-up call for consumers and businesses alike.

The fact is that, even in the workplace, users are likely to utilize the same password to access any number of personal and business resources. It’s a big problem and businesses can lose millions of dollars if just one employees’ account is compromised, leading to the loss of sensitive corporate data.

So, what are we to do? Rather than dive into salted hashes, see my colleagues post on What’s @ Stake for information on that, for this post I think it’s important to focus on best practices to protect your information.

Imagine for a moment that someone stole the key for your bicycle lock. But since it’s locked safely in your garage anyway, it’s no big deal, right?

Now imagine that, for convenience, you had previously rekeyed every other lock you have so you could use that bike lock key in all of them. Your front door, your car, your mailbox and your safe deposit box at the bank are only secure if you keep that one key safe. Now how would you feel if you lost it?

Of course, nobody would be so careless as to make one key fit every lock, right? Well, take a moment to consider how many dozens of online accounts you have. How many of them use the same password? Think about what would happen if just one of those sites was hacked, and someone got a hold of your login information.

Recently a friend of mine lost her smartphone. She sent out a message to all her friends in her social network about how she wouldn’t have a phone for a few days. She also did the right thing and went to her mobile carrier and reported it lost, turning the service off. Unfortunately though she wasn’t using any smartphone feature to find her phone or remote wipe it. But at least she was able to make sure it had no access to rack up her phone bill.

All good right?

Unfortunately, her smartphone did not require a passcode to access the apps. Ugh. I asked her about this and she replied back that it was no big deal because she didn’t have any really private information on there, and if so, the phone had no 3g access anymore to send anything off of it. Also her password would be required to sync the data off of it.