The security industry has been predicting the death of the password for at least a decade. In 2004, even Bill Gates said we would rely less and less on passwords over time. But now it's 2012, and even though Google offers two-factor authentication and World of Warcraft fans can use the Blizzard Authenticator, the majority of the world still relies on a single password to protect their email, banking sites, and computers.
The unfortunate fact is passwords are going to be around for a long time. They are the basic authentication mechanism built into everything from home wireless routers to enterprise mainframes. To really get beyond the traditional password, we would need a new technology that can provide true seamless and secure authentication (and authorization) without requiring the memorization of complex, difficult-to-remember sequences of letters, numbers, and symbols.
We've definitely seen plenty of technologies, such as hardware tokens and biometrics, that have helped with the latter area (memorization), but nothing with the former. We haven't seen any solutions that have been low-cost enough to become pervasive and eliminate the need for passwords. Simply put, we're stuck with passwords because they are easy to use, easy to implement, and cost nothing--except for the inherent risks that come with using something so easy to steal.
In my personal experiences performing penetration tests and responding to security breaches, I see a clear pattern of common password pitfalls that people fall into: password reuse, password sharing, poor password selection, and bad password storage practices.
What's surprising is it doesn't seem to matter whether the users of the passwords are technically savvy. The same mistakes occur among secretaries, network administrators, and even members of the security team.
The most common--and, typically, most damaging--issue is password reuse. Because of the sheer number of business-related and personal passwords that users are required to remember, users regularly use the same passwords on their personal email accounts as they use to log in to their computers at work. Sometimes users will create a small set that they use based on their general purpose, such as "March!82006" for all of their business accounts and "JustinBisCute!" for their personal accounts. The concern is that a compromise of one account puts all of the others at risk as well.
When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)