Close this search box.
Close this search box.

Written by: Mike Yang

OAKLAND–The security industry as a whole is really good at identifying interesting new problems and coming up with fancy products to solve them. But there is still a long list of boring, known problems that no one has fixed yet, and those are the ones that need the most attention, experts say.
One of those boring problems is perhaps the oldest one on the list: the password. It’s the most basic form of authentication, but the password is used to protect all kinds of sensitive data and devices, from kids’ iPods to classified government machines. And yet no one has come up with a bulletproof way to address the issue of people reusing passwords across multiple accounts, a problem that can turn a simple phishing attack into a complete disaster for a victim.
“What’s the biggest problem in security? It’s password reuse and nothing else is close,” Alex Stamos, CSO of Facebook, said during a session at the Enigma conference here Monday. “We catch a lot of those, but we don’t catch all of them.”

“We need to embrace the mundane.”

Password reuse is a two-part problem. Users tend to reuse their passwords because it’s convenient and easier than coming up with a new one for every site. Remembering multiple strong passwords is a pain, so people don’t bother. On the other side of the coin is that working on passwords isn’t a sexy research topic. Given the choice between hunting down APTs and trying to come up with a new password manager, a lot of researchers are choosing the former every time. And that isn’t a good recipe for progress.
“We don’t have a really good, usable solution. We need more people working on these problems. It’s a scoped problem,” Parisa Tabriz, who works on Chrome security at Google, said during the talk with Stamos. “I still see a lot of victim blaming. We should make authentication on the web easier.”
There are plenty of people working on the authentication problem, and some of them are developing novel ideas. On Monday, Facebook introduced a new account-recovery system called Delegated Recovery that relies on a user’s association with other services as a way to authenticate her and help her regain access to her account. But Tabriz encouraged more security researchers to take a swing at some of these existing problems rather than looking for the next big thing.
“In general, leave crypto to the experts and worry about the other things. I feel like we’re spending too much time on that and not on making security usable,” she said. “We need more people working on the mundane security things. We still have a really long way to go but it’s important for researchers to not just try to get the really large headlines. We need to embrace the mundane and the best practices of security.”