Reflecting on 25 years of password security and the future of security technology
When I helped create the password hashing algorithm bcrypt in 1997, I didn’t expect that today—more than 25 years later—it would remain an effective, reliable, and widely-adopted choice for hashing passwords. In fact, I’m surprised that we still rely so heavily on passwords today. The reasons for bcrypt’s continued relevance provide interesting insights about password security and may inform how we think about the future of security in general.
Why bcrypt has a lasting impact
We designed bcrypt to keep pace with advances in computing power, which is the primary reason for its continued relevance. Its influence stimulated the development of new algorithms and research to protect against password cracking techniques. Its concept of adaptive work factors has been adopted and expanded upon by newer algorithms that incorporate advanced features such as memory-hardness and adjustable parallelism, to make an algorithm more secure against specialized hardware and increasingly powerful parallel computation devices, e.g., incredibly powerful GPUs.
Beyond our intentional algorithm design, bcrypt’s endurance can be attributed to several other factors as well. Its wide availability in open-source implementations has facilitated widespread adoption and due to its advanced age, it is also considered to be a safe choice by having passed the test of time. Bcrypt’s weakness, i.e., just scaling in CPU cost, still makes it an attractive choice for large Internet services because newer algorithms, while more resilient, often have higher overall resource cost as they also scale in other dimensions, i.e., memory consumption, and are therefore more expensive and need more dedicated work to be efficient at scale.
Over the years, we have learned that passwords alone are not sufficient to ensure that only authorized people access computer systems and data.
Over the years, we have learned that passwords alone are not sufficient to ensure that only authorized people access computer systems and data. Instead, we have come to understand that the human is often the weakest link and technologies such as 2FA are required to protect organizations from their employees being phished or reusing their passwords. Humans making innocent mistakes or rogue insiders trying to intentionally violate security are a pressing problem for most organizations. An effective response often requires that companies employ security measures that are comprehensive and capable of protecting against both external and internal threats.
What’s next for passwords and security?
As the adoption of cloud services continues to increase, most critical data is stored and processed remotely, and passwords surprisingly remain an integral part of our digital lives. Their ease of deployment, creation, and revocability make them a convenient choice even today.
While single sign-on is now nearly ubiquitous, trusting a single identity provider (IdP) with one’s entire online presence has its own risk. As these IdPs all battle with fraud, the automated systems that disable thousands of accounts every day may also accidentally disable the accounts of completely innocent users. Until alternatives such as self-sovereign identity, where users retain control over their identities, gain widespread acceptance, the reign of passwords is likely to endure.
Security professionals no longer consider password security a technical problem.
Given the state of security nowadays, security professionals no longer consider password security a technical problem; instead, human factors and adoption costs pose significant challenges for companies. Truly robust security is seen only in companies with executives that prioritize and invest in it, with many companies focusing more on business growth than preventative security measures. However, as more rules and regulations shift security responsibilities to business leaders, we could see more executives begin to prioritize security.
For the companies that achieve mature security posture, human factors, particularly insider risk, become the primary concern. These risks, which often stem from social engineering and other techniques that involve human components, are more difficult to address because there is not one simple technological solution. However, when strong technological security foundations are in place, it’s much easier to manage human behavior. This requires developing secure infrastructure, and often also calls for employing skilled software and security engineers. While this approach is effective, it’s also expensive.
Why I’m hopeful for the future of Lacework
While most companies these days realize that security is something they have to take seriously, their executive teams need to make rational business trade-offs between growing their business and improving security. Unfortunately, the high cost of building bespoke security solutions is often prohibitive; instead companies mitigate risks where it’s feasible and otherwise accept that they will have to deal with security incidents when they happen.
We understand how a unified, consistent platform is of key importance in helping customers quickly react to and mitigate security threats as they unfold while also giving them timely and actionable information.
Lacework hopes to change this equation. As a security platform, the overarching mission at Lacework is to systematically improve security outcomes for customers. We are on a journey where we will not only help customers implement security best practices, but also help them establish strong security defenses that mitigate potential attack surfaces. We recognize that the key to achieving this, and the biggest security challenges that companies face, often lies with empowering their employees and making it easy for developers and operators to adopt security guidance and best practices for their cloud environments. With a comprehensive approach to security, we understand how a unified, consistent platform is of key importance in helping customers quickly react to and mitigate security threats as they unfold while also giving them timely and actionable information needed to efficiently close out incidents.
Lacework intends to be a win-win solution for customers, empowering businesses to scale their efficiency while staying secure. I’m hopeful that the product will enable users to spend their time efficiently rather than slow them down with alerts and findings. Security should not create more friction or be a gatekeeper; rather, it should make all customers more efficient.
Adapting and innovating for evolving security needs
As we look ahead at the future of the security industry, it’s clear that we need two things: better ways to address the human factors that affect cybersecurity, and technology that is adaptable and serves as a strong foundation for future iterations and innovations. This requires companies to hire skilled engineers with security expertise; however, the scarcity of talent in the field makes this difficult. To generate more interest in security amongst a younger audience, I recently started my newest venture as an EDM (Electronic Dance Music) producer. Under the artist name Activ8te, I’m creating music that explores challenging security themes. I encourage you to listen to help me expand the skilled security professional pipeline (and support my mission to win a Grammy… stay tuned). Just as the rhythm of an EDM track evolves, so does the beat of security technologies. As evidenced by the path of bcrypt over the past 25 years, security is a long and incremental journey. Just as bcrypt has proven its value over the years through its adaptive design and continued relevance, I look forward to seeing how Lacework will adapt to address the ever-changing factors that influence security.
About Niels: Niels Provos is the Head of Security Efficacy at Lacework. With nearly two decades of industry experience in creating healthy engineering teams that build security infrastructure and systems that solve cloud security problems at scale, Niels puts a particular emphasis on treating security as an engineering problem. After receiving his PhD in computer science from the University of Michigan, Niels spent over 15 years supporting the development of Google’s security and privacy engineering practice, such as helping to establish Safe Browsing which protects over 4 billion devices on the Internet. He then joined Stripe in 2018 as Head of Security where he set Stripe on a path towards a world-class security posture to help build significant trust with customers and to be ready for the public markets. To keep himself balanced and get more people interested in working in the security domain, he also produces cybersecurity-themed EDM tracks under his artist name Activ8te.