Stunned pundit agrees with Gates over passwords
Biometrics and smartcards are the future
Sometimes people make mistakes, and have to admit that they made a mistake. One of the most interesting mistakes I know of was made by Hartmann Schedel, a physician and cartographer who lived in Nuremberg (in what is now Germany) in the late 15th century.
Schedel's most famous work was published in 1493: Liber Chronicarum, or as it is more famously known, the Nuremberg Chronicle, an illustrated history and geography of the world from Creation to Schedel's present day. The Chronicle was an amazing achievement. Not only was it one of the first map collections created using the then still-new invention of the printing press, but it also contained many maps of countries, and even cities, that hitherto had never been drawn.
Schedel was a devout Christian of his time, and he believed that history could be divided into seven Ages:
- Creation to Noah
- Noah to Abraham
- Abraham to David
- David to the Babylonian Captivity
- Babylonian Captivity to the birth of Jesus
- Birth of Jesus to the Last Days
- The Age of the Antichrist
Schedel believed he was living in the 6th age, the Last Days of the world, and that the Antichrist would return soon for the final battle, which would precipitate the Last Judgment and the end of time. Consequently, he figured that the Chronicle was pretty much the final word on the earth's - and humanity's - history. Being a sensible man, however, he left a few pages blank at the end of the Chronicle, so that if anything interesting happened during the Last Days, readers could fill it in.
Actually, something kind of important happened after the Chronicle was published, and, unfortunately for Schedel, a couple of blank pages weren't enough: Columbus' discovery of the New World was announced shortly after the publication of Schedel's work. Oops.
To my knowledge, Schedel, who died in 1514, never admitted his mistake.
I wish to admit an error that I've made, though: I am hereby admitting that Bill Gates is right.
Just a few days ago, the Microsoft maestro had this to say about the passwords that we have to deal with all of the time:
"A major problem for identity systems is the weakness of passwords. Unfortunately, with the type of critical information (protected by) these systems, we aren't going to be able to rely on passwords. Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this."
Now, I often don't agree with Gates - in fact, I quite rarely agree with him, or with Microsoft - but I must grudgingly give him credit for the above statement. He's right.
Anyone reading this knows that passwords are a real hassle, for a wide variety of reasons.
- Sheer numbers of passwords
We all have to remember far too many passwords. Websites, email, websites, computer log ons, web ites, root or Administrator access, websites, and did I mention websites? We either try to remember all these different passwords, which is impossible, or we write them down, or store them in a Palm or a password safe-deposit box-type program, or we just re-use the same passwords over and over, thus opening ourselves up to catastrophic loss if one password is compromised.
- Users suck at password management
Anyone who's ever pulled time doing sysadmin tasks knows that to be true. Users try to slide by with passwords that a ten-year-old could crack, or they write them on sticky notes, or (it's my favorite and I know it's yours) they forget them constantly so you have to re-enter them. Every week. And I'm not even going to talk about the users who are willing to give up their passwords for chocolate bars.
- Unique identification
Passwords don't uniquely identify me. Anyone who knows my username and password can access resources intended for me, even if they're not really me. A password, after all, is just a string of characters. How does that uniquely identify the real me?
- Flimsy protection
My online banking records are protected by that same string of characters, and that's it. If you can finagle from me, or guess, or steal, those characters, then you're in like Flynn, baby. My finances are yours. Or my personal data on my computers. Or my email. And on and on. That's not much real protection, is it?
There's gotta be a better way, and I think Gates may be on to something. Bank ATM cards work securely because they combine two forms of authentication: something you have (an ATM card) and something you know (a PIN). It doesn't matter that most people's PINs are easy - in order to make use of that information, you must have the ATM card, and that presents an additional hurdle that's often enough to make simple ATM fraud difficult.
Asking people to use a two-factor form of authentication would go a long way toward alleviating a lot of the problems I outlined above. Instead of asking folks to remember strings of characters, a card and a thumbprint would vastly simplify things while providing much more certainty that the person is who she says she is.
I have my concerns, of course. When it comes to biometrics, I'm concerned. It's far too easy to fool biometric systems, although things will undoubtedly continue to improve. A better question concerns what is done with the biometric data, and what kinds of biometric data are used. Thumbprint? I'm a little queasy at it, but not much, especially since most biometric systems don't actually store the print itself, just a mathematical "hash", if you will, of the print. But DNA? Uh-uh. No way. I agree with those opposed to the idea of governments being able to access the DNA of anyone they arrest for a felony; I have even less fervor for the idea of corporations, under far less oversight than governments, having access to the building blocks of our bodies.
The idea of smart-cards intrigues me, however. Believe it or not, even AOL, with it's famously technologically-sophisticated user base (yes, I'm being sarcastic), has gotten into the act. For only $2 per month, AOL customers can use an RSA Secure-ID card to authenticate themselves to access potentially-sensitive areas of the AOL environment. Jokes aside, this is a good thing. The price is reasonable, although if every service charged $2 for the ability to use a Secure-ID token, the average consumer would be overwhelmed with payments.
The biggest problem, as always, comes down to an open standard. A universal scheme to ensure better authentication through the use of smart cards, or even smart cards plus biometrics, will only succeed if Microsoft doesn't own the standard, or the patent, or anything else that it intends to use to control this new direction in security. And for "Microsoft", you can substitute the company or organization of your choice. If we want a better scheme to work, then it must be an open standard - and open in the sense that open source developers can use it, without fear of licensing or patent issues. Without an open standard, we're looking at discreet archipelagos of authentication, instead of a universal, and universally useful, method of improving the ways we verify who are. I can't say I'm hopeful. Patent greed seems to be clouding the judgement of every company involved in IT these days.
We're not in the Last Days - it's been over 500 years since Schedel left those pages blank at the end of the Liber Chronicarum - but we're hopefully seeing the last days of passwords and all the annoyances they bring. As for me, I say the sooner the better. How about you? Would you be willing to carry around a smart card if it meant one less password? Or would you willingly use biometrics to verify yourself, if that meant fewer passwords? Add a comment and tell us your thoughts.
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.
Sponsored: Becoming a Pragmatic Security Leader