Last password standing

Written By Vaclav Vincalek

LastPass reported a security incident on their blog this week. How bad was it, really?

Let's start with the headlines:


LastPass in their own words is a 'pioneer in cloud security technology. LastPass provides award-winning password and identity management solutions that are convenient, effortless, and easy to manage.'

This is the problem for all the companies claiming that their name is a synonym for security. The marketing departments have to instill the confidence in the minds of their customers that nothing, absolutely nothing can be more secure. Yet, their security people are daily praying 'please, not to be me, today'. They know how one mistake can lead to a security breach.

They have to be right every time. The hacker has to be right only once.

Was it the first security incident there? No, it wasn't. There have been 6 other (publicly disclosed) incidents in the past. It is a tough business.

But this post is not about Lastpass as a company.

This latest incident is a symptom of what's wrong with the computer industry: We are still using passwords!

The password is a cruel joke by developers imposed on the rest of humanity. It is the reflection of their laziness to come up with technology which is easy to use and secure at the same time.

One study promoting the use of software like Lastpass, suggested that people have about 100 passwords. I don't think it is an accurate number, as it was done by one of the makers of the password management software. But even if we go with 50% or even 25%, you still have this pile of nonsense you have to remember.

That's where the developers are trying to outdo each other. It’s no longer enough to have 6-character passwords. It has to be 8 and has to have lower and upper case and numbers and special characters.

Why stop at 8 when we can have a 10 or 12-character password and change it every 30 days? Also, you can't ever repeat it. Then others come up with the 'clever' technique to create a memorable password - take the name of your favorite pet, spell it backwards, replace o with 0, e with 3, n with _ and 1 with ! and add the last four digits from a prime number with 8 digits. It is that simple.

When you - as a stupid person - ask “Why do we have to use such complex passwords? The answer is - So it can resist the brute force attack, you dummy!”

Ok, then explain to me why my bank card has only a 4-digit PIN to access my bank account!?!?!

Banks found out that 4 digits is the minimum number for security and maximum number for what most of their clientele can reliably remember.

Rather than building a system which can resist such attacks, developers make you suffer all. And companies like LastPass can justify its existence.

Of course the irony is that while you are required to create, memorize and use these monstrosities, the hackers go around all this masterful security and get improperly stored complex passwords directly. Like they did when they harvested 1.2 billion usernames and passwords around the Internet.

Yes, passwords had its time in history and that's where they belong. It is time to move on. There are vendors and companies who are building better systems, where they take time to think hard to make the systems secure and more user friendly at the same time.

I mentioned the demise of Blackberry devices the other day. Notably, the Blackberry was one of the first devices which you could unlock without a password. Today, your Apple devices can be used just looking at them or by using your fingerprint. Meanwhile, there are companies like Plurilock which provide real-time, continuous credential monitoring using your own movement patterns.

I hope that complex, secure passwords will be one pattern which will cease to exist. We have better things to do than memorizing passwords.

Vaclav Vincalek
Previous

Google is coming to billboard near you
Next

Make Computers Work For You