John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

The Future of Passwords: Put All Your Eggs in One Basket (And Really, Really Watch That Basket) or Stop Using Eggshells as the Foundation of E-Commerce?

by John Pescatore  |  December 17, 2010  |  1 Comment

The security failure at Gawker that exposed thousands of user’s passwords pointed out a number of things:

  1. “password” is no longer the most popular user password – it has finally been eclipsed by “123456”
  2. Many sites have increased the required length of passwords, in a misguided attempt to increase security, so “12345678” is now the 3rd most popular password.
  3. Reusable passwords are to security as eggshells are to foundations – you can’t build the latter on the former.

Now, the Gawker compromise did also point out that if you used Facebook SingleSignOn (Facebook Connect) to log-in to third party sites, instead of entering a local password at a Gawker media site,  then you were OK – Facebook wasn’t compromised (this time), Gawker was.

This approach is often proposed as a solution to the reusable password problem – have one “trusted” central site validate user authentication via reusable passwords and then other sites federate to this one central site. That approach sounds good but always runs into a number of real world problems:

  1. Can you think of a candidate to be that central site who hasn’t had their own security problems?
  2. Many businesses do not want intermediaries between them and their customers – for good reason.
  3. Any central identity service has to be paid for – quite often the “monetization” is by exposing user data or usage patterns.

I’d rather see the Gawker incident increase momentum for alternatives to the reusable password, like the simple use of text messaging for challenge/response or other approaches.  Just as it is time for DNSSEC to increase the security of identifying websites, its time to user authentication to get stronger. After all, in about 3000 BC the Egyptians figured out the basics of concrete and luckily built the pyramids that way, vs. just piling up rocks.

So, to combine all the various similes, analogies and metaphors I’ve used today, let me quote the well known security philosopher Beyonce, giving voice to the concerns of your identity:

I need no permission, did I mention
Don’t pay him any attention
Cuz you had your turn
But now you gonna learn
What it really feels to miss me

Woo wah woo
Cuz if you liked it then you should have put a ring on it
If you liked it then you should have put a ring on it
Don’t be mad once you see that he want it
If you liked it then you should have put a ring on it

1 Comment »

Category: Uncategorized     Tags:

1 response so far ↓

  • 1 Gawker Does A Mea Culpa, But What About More Secure Code?   December 22, 2010 at 7:51 am

    […] an internal email from Gawker’s CTO outlining lessons learned from Gawker’s recent exposure of thousands of users passwords. There were some good lessons learned about lack of preparedness […]

Leave a Comment