Dealing With a 'Bloody' MessBy Samuel Greengard | Posted 2014-04-11 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
I'm about as techy as you can get, but I'm about ready to unplug everything and disconnect from the grid, thanks to the recent news about the Heartbleed bug.
I'm about as techy as you can get. I have a desktop computer, laptop, iPad and iPhone. I use myriad cloud services, leading-edge mobile apps and a number of home automation systems, including WeMo light switches, an Internet-connected thermostat, software-based universal remotes and garage door monitoring.
But I'm just about ready to unplug everything, disconnect from the grid and go back to using cash. The recent news about the Heartbleed bug pushes the dial way past annoying and disruptive. We're now in the red zone, and the system is completely broken.
I've written (seemingly) endlessly about the problems with passwords and the utter dysfunctionality of the current system. I've penned more than a few blogs about hapless vendors, inept payment processors and general laxity. It's impossible to get through a day without hearing about another data breach or breakdown.
So, now, because of Heartbleed, I'm supposed to change every single password? My password management app shows that I currently have 487.
Worse, many smaller sites haven't yet updated their software to fix this bug. So, does that mean that it may do me no good to update the passwords at those sites because the new passwords could be stolen? Will I have to go back and change those passwords again in the coming days and weeks?
Seriously? This is progress?
I have a suggestion. Since product vendors and the business world don't seem to be serious about building a system that actually works, let's invite the federal government to the party. Industry hates government involvement—and there certainly can be too much of it—but this is what happens when there's little or no oversight. By now, it's apparent that industry cannot—or will not—get its act together.
How about eliminating passwords altogether? How about redesigning things from the circuit board up with real security protections, including biometrics? How about penalties and fines for organizations that are clearly negligent?
Right now, it's as if we're spelunking without a flashlight and have absolutely no clue about where we're going or how to get back out.
Of course, no system is perfect, and there will always be a certain number of breaches and problems. But the persistent mindset of maximizing profits with no regard for the collateral costs of wasting everyone's time and putting their data and identities at risk is completely unacceptable.