Passwords Are Still Fundamentally Sound

By Rajat Bhargava Posted October 7, 2013

Briefcase locks are woefully inadequate. They only provide security if someone can see a thief trying to open them. Three-digit codes? Hackers can break those in minutes — no supercomputers required.

The kind of lock I use at the gym is similar. Five letters to be lined up, total possible combinations: 10^5. Assuming one try a second, you could crack that in a day or so. Regular combination locks only have 40^3 possible combinations.

So why don’t we declare these locks “dead” and push for a new technology? It’s because they are still capable of securing your possessions in many cases. A thief persistent enough to crack those locks probably has more lucrative targets than your gym locker, so they serve as a sufficient deterrent – especially since a thief would only expect to get a few attempts at cracking a physical lock before someone came in and caught them.

Keyed locks are ‘broken’ too. The solid old MasterLock®, the deadbolt on your front door – these are hackable as well. It doesn’t take much effort to learn how to pick these locks, and a skilled locksmith can crack most in minutes, if not seconds. Does this mean we have to declare the technology dead and expect everyone to use biometric access mechanisms – retina scanners, thumbprint analysis, whatever?

Almost all locks we use in the physical world serve as a deterrent, but we’d never expect them to keep out a really determined foe. And while someone may occasionally try the handle on your car door or pull on your gym lock to see if it’s unlocked, you’re generally not concerned that their vector of attack is to actually circumvent the lock.

How Passwords Are Similar To Three-Digit Codes And Locks

Passwords can be thought of in the same way. I have concerns about access to my web-based accounts, but I don’t have to be worried that someone is attempting to guess my Google Apps password. Google will lock them out after a certain number of brute-force attempts – in exactly the same way that you’d chase off someone sitting at a bicycle rack trying every combination to a lock*.

The Real Threat: Identity Breaches

Vulnerabilities on the Internet don’t lie where most people think they do. It’s not that someone will try to guess your password without notice like Matthew Broderick breaking into the WOPR in WarGames. The real risk to your online accounts is found on the back-end, where the companies and people entrusted with security aren’t up to the task. The strongest deadbolt in the world won’t help you if someone leaves a window open right next to it. Indeed, most security breaches aren’t created via guessed passwords, but rather by circumventing the authentication mechanisms altogether. You probably know this as identity theft. Identity breaches are the number one target vector to break into online, digital assets.

Thwart Identity Theft With Directory-as-a-Service

That being said, there IS good reason to use unique passwords everywhere, so much so that we discussed that more in a separate post. In the meantime, if you would like to learn more about what you can do to thwart identity theft, drop us a note. Go ahead and give Directory-as-a-Service® a try. At JumpCloud®, your first 10 users are free forever.

*Now if your bike lock combination is set to 1234, or 0000, you’re not making good choices. The same is true if you’re locking your briefcase but leaving it where no one can see a persistent thief try to open it, or if you’re using online accounts that never lock you out for repeated password failures.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts