As more of our life moves online we still are looking for an identity management scheme that is practical, secure and scalable. Don't hold your breath.
As more of our lives go online, there is an ongoing search for an identity management scheme that is practical, secure and scalable. To paraphrase U2, we still haven’t found what we’re looking for.
For the time being, we must do a better job of managing the passwords we now have.
The urgency of the search is brought home repeatedly by breaches that expose passwords, online accounts and their owners to fraud and abuse. A recent high-profile incident was the LinkedIn debacle in June that resulted in the theft and posting of 6.5 million user passwords.
The LinkedIn breach is troublesome because as a professional networking site its users represent high-value targets, many of them in government, and it presents a trusted vector for phishing attacks.
In one way, this is an easy problem to fix. Everybody on LinkedIn, or at least those whose passwords were exposed, should have changed their passwords by now. Most security experts recommend doing this regularly anyway. But that does not address the larger problem of managing passwords or the challenge of replacing them with something better.
On the surface passwords are practical, simple credentials that provide adequate security for most needs. The challenge comes when they have to scale, either for users managing multiple accounts or for enterprises managing many users. The problems are too well known to warrant going into detail here. We all know it is difficult to use secure passwords without reusing or forgetting them and that password resets create headaches for help desks.
Technology for replacing or assisting passwords is available, but the problem is that there is no overarching standard for identity management. That means that no matter how good a token, card or other credential is, you need a separate one for each account you maintain, and that becomes expensive and inconvenient.
The government addresses this challenge in its National Strategy for Trusted Identities in Cyberspace, which envisions an identity ecosystem with a number of standardized identity management schemes from which consumers can choose. It would not be one-size-fits-all; consumers would have a wide selection of tools to choose from, and because they would work across multiple platforms we would have a limited number of credentials to manage.
A laudable goal, but one we have not yet achieved. Despite a proliferation of digital certificates, tokens and passkey generators, we still have to manage dozens of password-protected accounts. So, like it or not, we need to manage those accounts and their passwords securely.
You have seen by now the recommendations for secure passwords many times. They should be long, complex, difficult to guess and impossible to remember, but you should never, ever, write them down or reuse them. Any scheme you use to simplify passwords for yourself, someone else can use to break them. But for the time being we have little choice but to bite the bullet and accept these apparently contradictory requirements.
There are a couple of things that can help. First, prioritize your accounts. You can use and reuse simple passwords on low-level accounts with a minimum of risk if you do not use the same passwords on important accounts. By minimizing the number of high security passwords you need, it will be easier to use and manage them.
And take advantage of password management tools that are available. None is perfect or perfectly secure, but they can help lower your risks and raise the bar for hackers while we are waiting for the perfect scheme to arrive.