Email Security and Passwords — It’s Time for Change

I’m going to buck tradition a bit here. Instead of focusing on what

happened this year or what might happen next year, I’m going to focus my

first column of 2006 on just a couple of issues that mean a lot to me:

passwords and email security.

I’ll preface what I’m going to say with just a bit of background. I’ve

been actively using computers since about 1981, and the Internet (or some

form there of) since about 1983 or 1984. In that time, very little has

substantively changed in the worlds of passwords and of email security.

The state of attacks against our systems, on the other hand, has changed

significantly during that same period of time. Let’s explore each of

these issues in a bit more detail.

Static, re-used passwords are without a doubt the status quo for the vast

majority of systems most people use on a day-to-day basis. In many cases,

these same static passwords receive little or no cryptographic protection

while they’re traversing the dangerous territory of the Internet. Users

themselves are notoriously bad at generating passwords that are difficult

to guess, and they’re equally predictable at using the same (or very

similar) passwords across multiple systems.

These facts combine to produce a rather potent attack cocktail: eavesdrop

on users’ passwords and then use those credentials to gain access to

further machines across each user’s domain of system usage. Now, combine

that with the fact that we’ve seen a rather significant upturn in attacks

that focus on the application (vs. the network or OS layers), and it

should give you an idea of just how vulnerable we’re leaving our business

applications.

Countering this, however, are the available solutions. One-time password

mechanisms in both hardware and software forms have been available for

some time now. Without a doubt, they go a long way to disarming a

significant class of attacks. So, why do you suppose they haven’t gained

more acceptance than in a few niche areas? The most common reasons for

not using them are cost, integration, and, most damning, user acceptance.

Even many Web-based financial service companies don’t require them for

their customers (although there are some notable exceptions, no doubt).

We’ve just got to find a better solution to the problem, and it has to be

perceived, from the CEO on down to the end user, as an enabling

technology, not a prohibitive one.

And then there’s email security.

When I first started using computers while studying mechanical

engineering in college, we were taught that computers were for computing.

Big mainframes for modeling differential systems in FORTRAN and the like.

When I first saw a computer on a network being used to communicate, it

had a profound impact on me that I’ve never forgotten. However, I had no

idea just how insecure the medium was at the time.

The email systems back then were pretty much the same as those available

today, at least from a security standpoint. Sure, there are encryption

and digital signature add-ons that can be used to make email more secure,

but they’re rarely used by the masses and are often perceived as the

domain of techno-geeks (like me, I suppose). As a result, spam, scams,

and phishing attacks are beyond being ‘simply’ rampant.

Those of you who read my February 2005 column (hi Mom) might recall I

talked about the need for authentication in email. It really does come as

a shock to many non-technologists that our email today has absolutely no

mechanism for authenticating the sender, for all practical intents.

Now, think about the ramifications of that statement a bit.

The usefulness of email is eroding rapidly — many would say it’s already

gone. When was the last time you received an email from… say, eBay or

Amazon and didn’t assume it was a spam or phishing scam? Many of these

companies have been the unwitting pawns in phishing attacks and have been

finding they can no longer effectively use email to communicate with

their user communities.

If we don’t start doing a better job at email security, email will die

entirely. Some will welcome that, but I sure won’t. That epiphany that I

experienced back in 1983 is still alive and well for me. Email may well

be the worst possible form of electronic communication, but it’s better

than all the rest. (With due apologies…)

And, to be sure, there are many other problems we should be working on,

but these two are rather important ones and we don’t seem to be making

much progress. Here’s to some substantive advances in 2006!

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020