Privacy czar pans anti-password ‘media gimmick’

A petition by a group of Silicon Valley startups to get digital service providers to move to “passwordless” authentication sends a dangerous message, according to Ontario’s privacy commissioner.

Ann Cavoukian, whose Privacy by Design model has been adopted by institutions worldwide, has no objection to new technologies to authenticate users on systems. But it’s not an either-or proposition.

 
RELATED CONTENT

“You’ve got to make this user-centric,” she said Tuesday, and most users are currently in a password-controlled regime. “You can’t just have a ban on passwords.”

News of the Petition Against Passwords, scheduled to go live Wednesday, July 24, was leaked to tech media last week. Three identity companies — NokNok Labs, Clef and LaunchKey — and consumer advocacy group TechFreedom created the petition.

The group argues that users choose passwords that are too weak so they can remember them, that password policies aren’t enforced and that security holes regularly expose stored user passwords.

Cavoukian wondered aloud if the petition is simply a media gimmick. “Why do they have a petition? Who are they petitioning?” she asked.

Cavoukian said she supports new authentication technologies, but that doesn’t mean throwing out passwords.

“I love innovation,” she said. “I hate zero-sum propositions … give me a multiplicity of options.”

Her biggest fear is that the message will erode security.

“The last thing I want is for people to think, ‘Oh, I don’t need a password anymore, I can just log on to the system,” she said. “No. Absolutely not.”

She points out that more than half of smart phones, which are regularly lost or stolen, aren’t password protected. “We want to ramp up security, not ramp it down.”

Authentication must be multi-pronged, accessible and user-centric, Cavoukian said, and “that, in my view, is still passwords.”

She’s all for combining password authentication with other technologies, and said the nature and sensitivity of the application would contribute to the authentication method.

A better approach than getting rid of passwords is to teach users how to create strong passwords that are easy to remember. The trick she uses: Pick a password that is the same word in two different languages — she uses English and Armenian — and put a number in between. That will thwart common dictionary attacks, but still be easy to remember.

A CSO Online reader dismissed the petition as a marketing ploy. “I’m starting a petition to reduce gravity. Think how much easier everything would be if gravity was around 60% of what it is now,” the reader commented. “The ‘end password’ petition is just as stupid. What exactly will replace it, and who exactly will pay for it? Go figure that the whole thing is being pushed by some two-factor solution vendor (big surprise, eh).”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Dave Webb
Dave Webb
Dave Webb is a freelance editor and writer. A veteran journalist of more than 20 years' experience (15 of them in technology), he has held senior editorial positions with a number of technology publications. He was honoured with an Andersen Consulting Award for Excellence in Business Journalism in 2000, and several Canadian Online Publishing Awards as part of the ComputerWorld Canada team.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now