Death To Passwords
A close friend forwarded me a note from a relative who was trying to solve a password-management problem. What was going to be a short statement of opinion turned into a moderately-humorous manifesto, and I thought I’d share (lightly edited).
I certainly empathize with your password management situation. Passwords are, actually, horrible security mechanisms and it is my opinion that they should be done away with altogether. Problem solved: No passwords means no password management headaches.
So, how to do prove you’re who you are? How do your systems trust who you say you are? A token. A “key”. A physical and logical item possessed by the user. Something they can lose or get stolen or drop in their coffee mug, but doesn’t matter because it’s useless without them leashed to it- and can be reproduced by authorized personnel in a jiffy.
The security industry likes calling it “two-factor authentication”: The two factors being something you have (the token) and something you know (the sentence uttered by your first girlfriend when she dumped you, song lyrics, the title of a book … whatever). Behind the scenes we shift from password management (gross and abhorrent) to key management (fun and exciting!)
Encrypted-key security is the only managed authentication scheme I have rolled out in client environments for the last 7…8 years. It can be “difficult” to wrench into an existing infrastructure, changing the culture, disrupting the status quo- but technologically is a vastly superior solution to identity management.
The defacto standard is PGP [1], although there are a lot of players in this market with varying quality of products, some aiming at various vertical markets. The link below gives a nice picture of how various systemic pieces tie together.
I know I didn’t answer your question- people tell me that a lot- but I can’t in good faith recommend password management. I haven’t been able to since 1999 or so, and certainly can’t as 2009 winds down. Sure, there are things you can do – the DoD uses the Mandylion [2], which you can buy on ThinkGeek [3] for $50 – but it doesn’t solve the actual problem of secure identity management: Please pardon the crudeness, but it’s like putting whipped-cream on dogshit.
[1] http://www.pgp.com/products/index.html
[2] http://www.mandylionlabs.com/
[3] http://www.thinkgeek.com/gadgets/security/91a2/
