This has gone on long enough. In 2004, Bill Gates predicted the demise of the password: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
The first known computer password heist occurred 54 years ago and the situation is arguably worse than it was in 1962. The 2015 Verizon Data Breach Report estimated 700 million compromised records in 2014 with a $400 million estimated financial impact. According to Verizon’s Data Breach Digest, 80% of breaches involve exploitation of stolen, weak, default, or easily guessable passwords.
For so many years we’ve talked about why passwords are insecure, unusable, and otherwise just plain bad. Today, we’re taking the next step forward at NIST. It’s time to make a stand against passwords.
The National Vulnerabilities Database is the U.S. government repository of standards-based vulnerability management data. It contains over 75,000 vulnerabilities. Today it contains one more.
Earning the maximum base score of 10.0 and an impact score of ∞, we’ve added the password to the NVD. The Common Vulnerability System Score metrics are unusually severe, with high impacts to each of confidentiality, integrity, and availability. “The analytics proved this one particularly nasty,” said Paul Grassi of the NSTIC NPO. “It’s rare to see a vulnerability that’s permeated so many systems. It’s like wildfire.”
We’ve canvassed the community and have gotten mostly positive feedback.
“The people who ask you for your password are often those least qualified to manage it,” remarked known rabble-rouser John Bradley from Ping Identity. “Passwords have long been passé. Let’s just say NIST is fashionably late to the party.”
Some in industry thought this a foregone conclusion, such as Stu Vaeth from SecureKey: “Well, I suppose this is more like a 19,000-day than a zero-day, but it’s comforting that NIST finally finished the paperwork.”
Others weren’t so sure about the move. Peter Alterman, COO of SAFE-BioPharma and noted ham radio operator, took a predictably contrarian position by declaring that “passwords work fine. It’s people that are struggling to keep up with the pace of the Internet. Totally obsolete.”
We’ll get right on that one.