This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
I've forgotten passwords before, but recently I actually forgot an account. I have a password scribbled on a note, and I have no idea what account name or system it's for. Fortunately, I've carefully kept track of 175 other logins and passwords.
I probably have more logins than most people but I'm not that unusual. Today's Internet sites keep score by the number of account holders. It's the uncommonly accommodating Internet merchant that will allow a purchase without forcing you to create an account. Applications "in the cloud," such as email, GoogleDocs or social networking sites, require unique accounts. I've got Amazon, eBay, PayPal, Facebook, Yahoo, Flickr, LinkedIn, four email accounts, multiple admin accounts for my personal website, and more than 15 accounts associated with my job.
And it's not just a password problem; maintaining uniqueness means eight different login names for accounts associated with work, and at least a dozen more for non-work accounts. How crazy is that? What kind of a daft security model expects someone to remember 175 different passwords and logins?
Most people don't bother with unique passwords for every account, though. Admittedly, it matters not a whit how random your password is if it is slurped by malware on your workstation or the server. For years I was reasonably satisfied with an encrypted password
| list stored on my Palm, but when I upgraded to a wireless device, I had to find some other software and type them all back in again. I'm increasingly willing to just let my browser remember them, but that makes it even less likely I'll have the correct password at hand when I log in from a different computer. It also makes it easier for an intruder to find them.
The relatively recent method of using email addresses as logins does ease the situation a bit by providing an endless pool of memorable logins. Conveniently, when you forget a password (or it just doesn't work), you can usually push a button and have a new one emailed to you. But just as Network Address Translation (NAT) temporarily took the pressure off the dwindling stock of IPv4 addresses, the use of email addresses as account names cannot stave off the inevitable transition to a shared identity scheme allowing use of the same identity and authentication mechanism for multiple sites.
I was an early user of the now virtually defunct Passport single sign-on system from Microsoft. Without the baggage of a Microsoft, perhaps OpenID can become the paradigm-shifting standard, but not until dominant Internet entities such as Yahoo and WordPress are as willing to accept logins from other domains as they are to brag about being identity providers. I don't particularly trust national governments to be the sole source of strong identity, but sci-fi author Charles Stross has suggested that a universal time standard and identity protection are the only appropriate and necessary services of a government (at least in his faster-than-light, multi-planet universe).
My fellow analysts who spend more time on this issue say we should expect multiple forms of Internet identity providers--commercial, governmental and nonprofit. They anticipate lots of unforeseen complications, but nevertheless are increasingly supporting the idea of shared ID providers. I expect more false starts and some very unfortunate hacking incidents, but I'll be a guinea pig if it will further the state of the art. I'm ready to follow the advice of Mark Twain's character Pudd'nhead Wilson and put all of my eggs into one basket--and watch that basket.
This was first published in September 2008