Welcome!

@CloudExpo Authors: Pat Romanski, Yeshim Deniz, Elizabeth White, Liz McMillan, Zakia Bouachraoui

Related Topics: @CloudExpo, Cloud Security, @DXWorldExpo, @ThingsExpo

@CloudExpo: Article

No Passwords | @CloudExpo #Cloud #API #AI #ML #DL #DX #Cybersecurity

Right after the Sony Hack became public knowledge (circa November 2014), cybersecurity paranoia set in

Every time there’s a notable cybersecurity breach, someone (even me) writes a comprehensive primer on the proper way to create “secure” passwords. Lather, rinse, repeat. Until a few years ago, everyone (including me) based their password advice on a 2003 paper from the National Institute of Standards and Technology (NIST), with the catchy title “NIST Special Publication 800-63.” The paper recommended that passwords be cryptic, contain special characters, and be as close to nonsense as possible.

I was in a camp I called “How to Make a Cryptic Password You Can Easily Remember.” The short version was this: take a phrase you know, such as a favorite quote from a movie, and use the first letter of each word. For example, Sheriff Brody’s famous line from Jaws, “I think we’re gonna need a bigger boat,” becomes [email protected] The trick was using Leet (a technique where letters are replaced by numbers and symbols; see my post from July 2012, “Yahoo! Hacked: What You Need To Do Now”) to add the numbers and special characters. But as you can see from the example, a password made in this way is total nonsense to everyone but you – unless you forget your favorite quote.

That Was Then
Right after the Sony Hack became public knowledge (circa November 2014), cybersecurity paranoia set in and everyone started grasping for ways to enhance their cyberdefenses.

Once again, passwords were in the spotlight, but two strategic camps had evolved. Camp one was advocating the creation of more-cryptic passwords and changing them often (like monthly), and camp two began advocating for the longest passwords possible, made from any words you like and left alone until there was a reason to change them. All my cybersecurity friends fell squarely into the second camp, advocating for the longest passwords possible. My thinking evolved and I fell into line with camp two.

Fast Forward to Today
According to the Wall Street Journal, Bill Burr (the man who wrote the NIST memo back in 2003 that recommended the cryptic craziness and frequent replacement guidelines) has had an epiphany. “Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired. If the reporting is accurate, he had very little evidence upon which to base the NIST’s recommendations. (Sort of makes me think about the USDA Food Chart I grew up with. But that’s for another article.) Why were Mr. Burr’s assumptions wrong?

The Math
This very widely circulated cartoon from XKCD tells the story beautifully.

The key takeaway is that the longer the password is, no matter its complexity, the harder it is for a computer to guess.

Now What?
The good news is that Mr. Burr’s old memo has been discarded and the NIST has published new Digital Identity Guidelines. The bad news is that it is going to take quite a while for these new guidelines to become widely adopted. Many sites limit the length of your password to “8-12 characters.” If that’s the case, you can’t use a password that is long enough to be considered safe under the new guidelines. As you know, many sites (especially government sites) require a special character and a number for a password to be considered strong. In practice, it may be years before the Internet catches up. By then, we may not be using passwords at all.

No Passwords
For consumers, passwords are just a way to validate that you are who you say you are. If you forget your password, you can request an email, a txt, or in some cases a phone call to obtain a temporary replacement. So if there’s another valid way to authenticate you, passwords really aren’t necessary. Google, Facebook, and several other sites can be easily used to verify that you are who you say you are. If proper authentication protocols are used, any site could determine you are you by checking to see if you are properly logged in to Facebook or Gmail. Lots of sites already do this, and there are a host of biometric and multifactor identification and authentication schemas fighting to be the new new thing in secure Internet living. Password science is evolving quickly, but it’s likely to be a hot mess for the foreseeable future.

So What Do I Do?
Do what the experts are now telling you to do. Start using the longest passwords possible. I would not use correcthorsebatterystaple, but “passwordswedontneednostinkinpasswords” will absolutely do the job.

Other Articles You May Enjoy

CMOs Shouldn’t Buy Tech, Ever!

How Do You See the Future?

The Five Jobs Robots Will Take First

The Five Jobs Robots Will Take Last

Just How Dangerous Is Alexa?

I’d Pay You $500,000 a Year, but You Can’t Do the Work

Machine Learning & AI: When to Start?

Artificial Intelligence: 5 Things Every CEO Should Know

My Banned Words for 2017

The post Passwords: What if Everything You Know Is Wrong? originally appeared here on Shelly Palmer

More Stories By Shelly Palmer

Shelly Palmer is the host of Fox Television’s "Shelly Palmer Digital Living" television show about living and working in a digital world. He is Fox 5′s (WNYW-TV New York) Tech Expert and the host of United Stations Radio Network’s, MediaBytes, a daily syndicated radio report that features insightful commentary and a unique insiders take on the biggest stories in technology, media, and entertainment.

CloudEXPO Stories
Sanjeev Sharma Joins November 11-13, 2018 @DevOpsSummit at @CloudEXPO New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
DXWorldEXPO LLC announced today that Kevin Jackson joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Kevin L. Jackson is a globally recognized cloud computing expert and Founder/Author of the award winning "Cloud Musings" blog. Mr. Jackson has also been recognized as a "Top 100 Cybersecurity Influencer and Brand" by Onalytica (2015), a Huffington Post "Top 100 Cloud Computing Experts on Twitter" (2013) and a "Top 50 Cloud Computing Blogger for IT Integrators" by CRN (2015). Mr. Jackson's professional career includes service in the US Navy Space Systems Command, Vice President J.P. Morgan Chase, Worldwide Sales Executive for IBM and NJVC Vice President, Cloud Services. He is currently part of a team responsible for onboarding mission applications to the US Intelligence Community cloud computing environment (IC ...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight and has been quoted or published in Time, CIO, Computerworld, USA Today and Forbes.
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the massive amount of information associated with these devices. Ed presented sought out sessions at CloudEXPO Silicon Valley 2017 and CloudEXPO New York 2017. He is a regular contributor to Cloud Computing Journal.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on organizations of all sizes and in every line of business. Fintech is a constant battleground for this technology expanding trend and the lessons learned here can be applied anywhere. Digital transformation isn't going to go away and the need for greater understanding and skills around managing, guiding, and understanding the greater landscape of change is required for effective transformations.