The National Institute of Standards and Technology (NIST) is once again considering the death and eradication of the traditional password. NIST’s senior standards and technology advisor Paul Grassi recently stated that the agency is debating updating the password usage requirements set forth in NIST guide 800-63 to recommend stopping the use of passwords in both government and private enterprise systems.
Grassi notes that a driving factor for the shift is that passwords are becoming increasingly vulnerable to attack. Poor end-user password practices and weak administrative system policies continue to make password-authenticated systems the subject of brute-force attacks.
But the question remains, is a world without passwords truly an achievable goal?
The simple answer – in a perfect world – is yes. What would be ideal is for every app, website and SaaS vendor to subscribe to a common standard of strong authentication and/or federation which would eventually make passwords obsolete.
However, given the current enterprise landscape (even into the near future), I’d caution executives not to hold their breath. The world we live in is imperfect, and legacy vendors are slow (if ever) to adopt standards around authentication. In addition, newer applications, including SaaS and mobile, are more focused on delivering functionality than on delivering secure solutions.
Another challenge is the lack of a common, non-password-based standard. It’s one thing to support initiatives to make passwords a thing of the past, but it would be wise to also pragmatically recognize that for the vast majority of enterprise systems, passwords remain a reality with which we must cope. With the presence of this current paradigm, enhanced password management and governance are of paramount importance.
We continue to hear that password management is a pain point for most organizations and ultimately, their end users. With the right tools in place, organizations can enforce enhanced practices including: robust password policies like password strength, complexity and expiration, and easy to use end-user password management tools. With these capabilities in place, organizations can ensure that all users have more secure passwords across all applications – reducing the risk of a data breach.
What’s your organization doing to battle the insecurity of the common password?