I'll preface what I'm going to say with just a bit of background. I've been actively using computers since about 1981, and the Internet (or some form there of) since about 1983 or 1984. In that time, very little has substantively changed in the worlds of passwords and of email security. The state of attacks against our systems, on the other hand, has changed significantly during that same period of time. Let's explore each of these issues in a bit more detail.
Static, re-used passwords are without a doubt the status quo for the vast majority of systems most people use on a day-to-day basis. In many cases, these same static passwords receive little or no cryptographic protection while they're traversing the dangerous territory of the Internet. Users themselves are notoriously bad at generating passwords that are difficult to guess, and they're equally predictable at using the same (or very similar) passwords across multiple systems.
These facts combine to produce a rather potent attack cocktail: eavesdrop on users' passwords and then use those credentials to gain access to further machines across each user's domain of system usage. Now, combine that with the fact that we've seen a rather significant upturn in attacks that focus on the application (vs. the network or OS layers), and it should give you an idea of just how vulnerable we're leaving our business applications.
Countering this, however, are the available solutions. One-time password mechanisms in both hardware and software forms have been available for some time now. Without a doubt, they go a long way to disarming a significant class of attacks. So, why do you suppose they haven't gained more acceptance than in a few niche areas? The most common reasons for not using them are cost, integration, and, most damning, user acceptance. Even many Web-based financial service companies don't require them for their customers (although there are some notable exceptions, no doubt).
We've just got to find a better solution to the problem, and it has to be perceived, from the CEO on down to the end user, as an enabling technology, not a prohibitive one.
And then there's email security.
When I first started using computers while studying mechanical engineering in college, we were taught that computers were for computing. Big mainframes for modeling differential systems in FORTRAN and the like. When I first saw a computer on a network being used to communicate, it had a profound impact on me that I've never forgotten. However, I had no idea just how insecure the medium was at the time.
The email systems back then were pretty much the same as those available today, at least from a security standpoint. Sure, there are encryption and digital signature add-ons that can be used to make email more secure, but they're rarely used by the masses and are often perceived as the domain of techno-geeks (like me, I suppose). As a result, spam, scams, and phishing attacks are beyond being 'simply' rampant.
Those of you who read my February 2005 column (hi Mom) might recall I talked about the need for authentication in email. It really does come as a shock to many non-technologists that our email today has absolutely no mechanism for authenticating the sender, for all practical intents.
Now, think about the ramifications of that statement a bit.
The usefulness of email is eroding rapidly -- many would say it's already gone. When was the last time you received an email from... say, eBay or Amazon and didn't assume it was a spam or phishing scam? Many of these companies have been the unwitting pawns in phishing attacks and have been finding they can no longer effectively use email to communicate with their user communities.
If we don't start doing a better job at email security, email will die entirely. Some will welcome that, but I sure won't. That epiphany that I experienced back in 1983 is still alive and well for me. Email may well be the worst possible form of electronic communication, but it's better than all the rest. (With due apologies...)
And, to be sure, there are many other problems we should be working on, but these two are rather important ones and we don't seem to be making much progress. Here's to some substantive advances in 2006!