BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.
I’m sit in my car waiting for a colleague to arrive before a customer meeting, I would say “as always”, not because of any habit of the colleague to make me wait but because this is what happen to all of those who are forcibly “mobile workers” and in the sales/presales/consultancy “world”. We “live” out of your doors quietly waiting for the moment we will be allow to ring your bell and join you in the next couple of hours meeting.
I am here and I am connected to the “outside” world through various systems, my 3G/GPRS (I’m Italy) phone connection, sometimes a public Wi-Fi, most of the times with multiple devices that allow me to: check the email, write post blogs, reply to tweeter conversations, etc..
I was born in the ‘70s when there was no internet as we know it, there was no mobile phones, no emails, no social networks and the only form of gamefication was the Christmas company lottery.
I am a digital immigrant and my world was a non-digitalized one where security was physical and was related to lockdown doors, control people at airports and so on. When I started to approach the computers my very first password was composed by 6 letters, one uppercase (at begin) and two numbers (at the end) and was considered “secure” enough nowadays it would not pass any website registration form.
Lately last year and more this early weeks of 2013 the trend of “taking the password to die” become stronger. The idea is quite simple:
password are anymore secure and even the strongest could be easily cracked in seconds by a multiple node brute force attack so IT should find alternative ways to protect our data,identities, etc..
A good article on this is this one
Let me clarify some points on this: I am fully supportive to the idea that text passwords manual inputted by humans must die soon or later and replaced by other systems of authentication but…yes but is it really like this?
The digital immigrant vs. the digital born dilemma
Why text password were so successfully for us digital immigrants?
- Because in a world where the computational power of a single device was not able to crack easily a non-complex password we could use our “easy to remember” secrets.
- Because there was not apps and “zillion” of websites to log in to work or to do our personal business and so re-using the same password was acceptable.
- Because it was more than a decade ago and the technology was young as we were and so the knowledge.
Security is a perception mostly and we were and some still see the digital world as a place safer than what it is, who are these people? Easy your non-IT family members,friends,peers.
Any new technology or better innovation require a certain time to be fully understood and adopted.
This graph shows the innovation adoption curve as defined by many researches.
Wikipedia on “Innovation adoption lifecycle”
The graph is quite symbolic if you look at it and think about the use of a security “innovation” like passwords.
Now still looking at the curve? Do you remember the Moore’s law? If you are older like me you remember for sure but for all the others here a little excerpts:
Moore’s law is the observation that over the history of computing hardware, the number of transistors on integrated circuits doubles approximately every two years. The period often quoted as "18 months" is due to Intel executive David House, who predicted that period for a doubling in chip performance (being a combination of the effect of more transistors and their being faster)
Now look again at the Innovation Adoption Lifecycle and try to figure out where you digital immigrants from the IT world are placed in that curve and where are the non-IT members of your circle of “trust”.
Let say that the your perception of the “security issue” is not going fast as Moore’s law but everything else yes. So when you still think that use your first daughter name or dog nick or the combination of your birthday and your name is a secure options the “bad boys” out there got a fully knowledge of your authentication system and know out to crack it. But even worse again the computation power is not going slow are your #security #habits adoption and so brute force combined through a grid of computers become more frequent, etc…
Most of us are still “sit”on the top of the curve and the idea to use a different way to authenticate themselves is no-sense.
Second point: what did you use in the last decade? laptops,desktops so password works very well on this kind of devices but try your hype-secure text password on an mobile device.
One thing we, as digital immigrants, are not accustomed is to type complex password in tiny devices and even worst we are still not still completely sit in the innovation adoption curve that means we don’t have a fully knowledge of the devices and of their use.
This article could help many of us to see the point. From the same article:
many smartphone users do not recognize these security shortcomings. Many users fail to enable the security software that comes with their phones, and they believe that surfing the internet on their phones is as safe as or safer than surfing on their computers.
A digital born instead start in a world where these devices, this level of knowledge and comprehension of the innovation is already at the top level and so his/her way to look at it is obviously totally different.
We lock down our house doors because of the risk to come back home and find it robbed but our grandparents were used to not do it because their “world” was perceived in a different way.
Terms like BYOD are very frequent nowadays but what they means is that most of the people get their personal device into corporate networks without a full knowledge of what this could mean in the case their devices are not secured.
Security should be an habit always but when your habit is build on a different perspective from the on digital born got it is really hard to “follow” the new “flow”.
The password that will not die (soon)
So based on the assumptions stated above:
Password are not more or less secure that any other authentication systems but since it is now fully understood and known it is not anymore adoptable for everything
but I wonder so why we still use them so often? Even when you federate through social login you still use password or “secret questions” that require a text answer to recover your hyper-complex text secret.
We learn, understand then adopt an innovation and this means that to convince us to replace a well know method we need something that offer the same level of “perceived security” but this again means that we are sitting on an innovation adoption curve that is years long.
Passwords are still in use and will be because they are simple to remember , easy to implement and there is not a real security standard as alternative till now but only innovative ways that most of the digital immigrants do now understand or known.
My point? We are like that boyfriend that is not good at goodbyes and continue the relationship even when knows that is “wrong”…but this is another story…