It's not the Network! Ok, maybe it's the network...

Jason Rahm

Subscribe to Jason Rahm: eMailAlertsEmail Alerts
Get Jason Rahm: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Killing my passwords (with his tools)

As I prepped for this password killing journey, I couldn’t get the Fugees “Killing Me Softly” out of my head. Lauryn Hill kills it in that song (pun intended.) So I wrote a little intro you can hum along to the tune…I’ll wait.

Feeling my pain with this access,Fugees
Attacking my sites with his scripts,
Killing my passwords with his tools,
Killing my passwords with his tools,
Telling the whole world, I’ve been p0wned,
Killing my passwords with his tools.

So we’re not killing anyone, and I am no lyricist, but everyone wants to kill the password, right? Certainly the security folks wish for a day where a physical pass of the office doesn’t reveal a password taped to the keyboard, monitor, and if they are really sneaky, under the mouse pad. For those fortuitous enough to get through a physical exam with no evidence laying around, routine directory scans that reveal passwords long listed in the top 100 worst password lead to abounding face palm moments.

Users don’t like passwords and password maintenance, and security professionals don’t either. So is 2017 the year we can kill the password?

Unfortunately, the safe answer is still a solid no.

The quick reason comes back to the tenants of multi-factor authentication: something(s) you are, something(s) you know, and something(s) you have. The more of each of those tenants you have, the better the system can authenticate that you are who you claim to be. If you eliminate the something you know outright, without a means of strengthening the other areas, well, I’m guessing you’ve seen enough sci-fi, and the very real talks at various security conferences that what you are and what you have are challenges that have been overcome. What you are (identification info) is easily guessed, and what you have with biometric data can be lifted. Articles abound on fingerprint biometric bypass techniques, but even the retina scan technology isn’t without peril, as one researcher bypassed the scanner with only a high resolution photo!

My recommendation is whereas deploying a password-less system is possible, in most cases this will decrease your security access posture, thereby increasing your risk for compromise.

Is there hope?

That doesn’t mean there isn’t hope on the horizon, though the password will “have a long tail." Google has a couple projects with Abacus and Trust API, which combine to use biometric data (voice, face, fingerprint, etc) and device behavioral analysis to build a trust score, which apps can then authenticate or not, at different thresholds. My password manager Dashlane is also in a collaboration with Google on Open YOLO, which is built on a similar (or same? hard to tell at this point from the information available) trust API.

Forget the risk, show me how!

Sorry, I’m not going to bite. It wouldn’t be responsible of me, during security month no less! Yes, of course it’s possible though, you’re talking about the BIG-IP! In fact, if you take any of the 2FA/MFA articles we’ve written on Google Authenticator or Yubikey, you can easily customize those solutions to remove the password requirement. Those resources are:

For now, though, keep managing those passwords, and maybe next year we'll have a new story to tell!

Read the original blog entry...

More Stories By Jason Rahm

Experienced predominantly in the networking realm over the last dozen or so years, Jason is expanding his horizons towards systems management and even trying his hand at python.

Jason assists in the maintenance duties for http://devcentral.f5.com, contributes frequently in the forums, and writes weekly on some cool geekery in the F5 product lines. When not working, Jason enjoys spending time with his beautiful wife Michelle and his four children. He is active and volunteers network administration duties at his church and if there are any remaining minutes in the week, he enjoys Wii & XBOX, tennis, racquetball, softball, etc. He does not enjoy running, but does (scratch that, thinks about doing) it anyway to recover his youthful appearance.