More than 2 million passwords have been stolen from popular web services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc. All the popular press are reporting on this (here is something in English and Swedish).
Now what is interesting is the analysis on the stolen passwords by Trustwave. Trustwave did a similar study over 6 years ago on passwords exposed from MySpace, and this shows that nothing has changed, if anything password complexity is even weaker now than what it was in 2006. It seems that users are choosing simplicity over complexity.
So what’s so surprising? It is quite naive to assume that we will use complex passwords, especially across our social networking accounts. This is why we are increasingly accepting single sign-on using Facebook, LinkedIn, etc., to authenticate to other web services. The last Gartner conference on identity talked about needing to re-work how we do identity, i.e. make it ‘people-centric’, now where have I heard that one before 😉
I loved this article from ZDNet on Garner’s prediction on identity management.
“Protected resources in the enterprise aren’t where they use to be and the move to the cloud has stressed and fractured identity and access management (IAM) to the point where it needs to be re-architected, according to Gartner.”
How true! There needs to be a way forward that is scalable to 6 billion persons worldwide! There is even mentioned “people-centric” approach. One prediction was that by 2020, over 80% of enterprises will allow unrestricted access to non-critical assets, up from <5% today, reducing spending on IAM by 25%. This is aligned to how transparency will have a new place in the society of the future.
I've been thinking and talking a lot about how we must turn how we do security upside-down, re-architec, do it different. The present approach is not working, and hasn't for a long time. I am referring to "people-centric", "device-centric", "information-centric" and a future with increased transparency. There is nothing new with the information-centric, this after all was drafted by the Jericho forum in 2002, their 10 commandments basically stated de-peremiterization of security controls, i.e. put the security as close to the information as is possible.
You should check out what Lequa is doing in the space of IAM. I am 😉