Gartner Blog Network


The Future of Passwords: Put All Your Eggs in One Basket (And Really, Really Watch That Basket) or Stop Using Eggshells as the Foundation of E-Commerce?

by John Pescatore  |  December 17, 2010  |  1 Comment

The security failure at Gawker that exposed thousands of user’s passwords pointed out a number of things:

  1. “password” is no longer the most popular user password – it has finally been eclipsed by “123456”
  2. Many sites have increased the required length of passwords, in a misguided attempt to increase security, so “12345678” is now the 3rd most popular password.
  3. Reusable passwords are to security as eggshells are to foundations – you can’t build the latter on the former.

Now, the Gawker compromise did also point out that if you used Facebook SingleSignOn (Facebook Connect) to log-in to third party sites, instead of entering a local password at a Gawker media site,  then you were OK – Facebook wasn’t compromised (this time), Gawker was.

This approach is often proposed as a solution to the reusable password problem – have one “trusted” central site validate user authentication via reusable passwords and then other sites federate to this one central site. That approach sounds good but always runs into a number of real world problems:

  1. Can you think of a candidate to be that central site who hasn’t had their own security problems?
  2. Many businesses do not want intermediaries between them and their customers – for good reason.
  3. Any central identity service has to be paid for – quite often the “monetization” is by exposing user data or usage patterns.

I’d rather see the Gawker incident increase momentum for alternatives to the reusable password, like the simple use of text messaging for challenge/response or other approaches.  Just as it is time for DNSSEC to increase the security of identifying websites, its time to user authentication to get stronger. After all, in about 3000 BC the Egyptians figured out the basics of concrete and luckily built the pyramids that way, vs. just piling up rocks.

So, to combine all the various similes, analogies and metaphors I’ve used today, let me quote the well known security philosopher Beyonce, giving voice to the concerns of your identity:

I need no permission, did I mention
Don’t pay him any attention
Cuz you had your turn
But now you gonna learn
What it really feels to miss me

Woo wah woo
Cuz if you liked it then you should have put a ring on it
If you liked it then you should have put a ring on it
Don’t be mad once you see that he want it
If you liked it then you should have put a ring on it

Category: 


Thoughts on The Future of Passwords: Put All Your Eggs in One Basket (And Really, Really Watch That Basket) or Stop Using Eggshells as the Foundation of E-Commerce?


  1. […] an internal email from Gawker’s CTO outlining lessons learned from Gawker’s recent exposure of thousands of users passwords. There were some good lessons learned about lack of preparedness […]



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.