To make matters worse, in this age of cloud computing, SaaS and increased mobility, users are spreading their credentials everywhere. Passwords are inherently weak. Dictionary attacks are standard and rainbow tables can be used to crack more sophisticated passwords.
"The concept of having users deploy their passwords to every cloud site is nuts," says Garret Grajek, CTO of SecureAuth Corporation. "It would be a mistake, however, to conclude that this makes the cloud inherently insecure."
The standard method for authenticating users to cloud services is the hardly revolutionary: user names and passwords. We're left with two choices: either improve on what we have, or replace it with something better. There is no real consensus, however, on which path to take.
For instance, when users are told to strengthen their login credentials by crafting strong passwords that are essentially gibberish with random capital letters, numbers and special characters, no one remembers them. Thus, everyone reuses their complex passwords, writes them down, or creates a "passwords" file, which is the first thing hackers look for when they access your device.
Potential password replacements don't offer any magic bullets. Solutions like hard tokens are expensive and hard to administer, and, as the RSA breach proved, they can be cracked too.
Grajek compares the authentication challenge to the AC/DC current battles of the 1880s. When DC was winning, New York City had wires strung so thickly that they almost blocked out the sky. The problem was that DC doesn't travel well, requiring sub-stations every mile and a half.
"The same mistake is true of the distribution of user's passwords at every cloud service," he says.
Every security expert that I talked to made the same point: There is no easy way to fix passwords, but standardization would certainly help us get closer to that goal.
SSO and SAML to the Rescue?
For several years now, the enterprise has been searching for single sign-on (SSO) solutions. Early ones were proprietary and unwieldy, but standards have been emerging, most notably Security Assertion Markup Language, or SAML.
"SSO is a must," says Mike Kail, vice president of IT operations at Netflix. "Once your employees start using Workday, Box and other cloud services, they start littering those services with passwords -- some unique, some not -- and any business is only as secure as its weakest password."