A previously unknown vulnerability.

This has gone on long enough. In 2004, Bill Gates predicted the demise of the password: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

The first known computer password heist occurred 54 years ago and the situation is arguably worse than it was in 1962. The 2015 Verizon Data Breach Report estimated 700 million compromised records in 2014 with a $400 million estimated financial impact. According to Verizon’s Data Breach Digest, 80% of breaches involve exploitation of stolen, weak, default, or easily guessable passwords.

For so many years we’ve talked about why passwords are insecure, unusable, and otherwise just plain bad. Today, we’re taking the next step forward at NIST. It’s time to make a stand against passwords.

The National Vulnerabilities Database is the U.S. government repository of standards-based vulnerability management data. It contains over 75,000 vulnerabilities. Today it contains one more.

Earning the maximum base score of 10.0 and an impact score of ∞, we’ve added the password to the NVD. The Common Vulnerability System Score metrics are unusually severe, with high impacts to each of confidentiality, integrity, and availability. “The analytics proved this one particularly nasty,” said Paul Grassi of the NSTIC NPO. “It’s rare to see a vulnerability that’s permeated so many systems. It’s like wildfire.”

We’ve canvassed the community and have gotten mostly positive feedback.

“The people who ask you for your password are often those least qualified to manage it,” remarked known rabble-rouser John Bradley from Ping Identity. “Passwords have long been passé. Let’s just say NIST is fashionably late to the party.”

Some in industry thought this a foregone conclusion, such as Stu Vaeth from SecureKey: “Well, I suppose this is more like a 19,000-day than a zero-day, but it’s comforting that NIST finally finished the paperwork.”

Others weren’t so sure about the move. Peter Alterman, COO of SAFE-BioPharma and noted ham radio operator, took a predictably contrarian position by declaring that “passwords work fine. It’s people that are struggling to keep up with the pace of the Internet. Totally obsolete.”

We’ll get right on that one.

This entry was posted in Uncategorized and tagged , , , , , , , , , , , , . Bookmark the permalink.

4 Responses to A previously unknown vulnerability.

  1. Peter Tomlinson says:

    So what?

    It seems to be every week that I read about, or are even asked to use, a different method, without any information to help me trust it. So I’m with Pete Alterman.

  2. John Bradley says:

    I strongly support this, a sign of Mike Garcia’s strong leadership.

  3. Yalo Suzuki says:

    Why is this article tagged “april fools” ?


    Thanks you very much. …

Leave a Reply

Your email address will not be published. Required fields are marked *