6 Aug 2019

Editor Introduction

Passwords are one of the most familiar elements of information systems, but also one that can be overlooked or underutilised. New alternatives are emerging, and the role of passwords is evolving in the age of the Internet of Things. We asked this week’s Expert Panel Roundtable: How is the role of passwords changing in physical security systems?

Passwords are finally being used as they are designed to be used. Previously, this was one of the weak points within a system because people did not spend time thinking of a unique password or, even worse, would stick to the default password assigned at initial login. Today, manufacturers are starting to enforce stricter password setting rules, ensuring that passwords are actually keeping accounts secure. Most ONVIF members that manufacture cameras force a password change upon installation, eliminating the default password issue altogether. So, the role of passwords is not really changing. People are just finally using them as they are intended to be used.

When it comes to password best practices, the physical security industry is lagging behind the mainstream IT industry. Passwords are meant to authenticate humans, not machines. Therefore, they shouldn’t be the first choice when one system authenticates itself to another. User-controlled passwords are a major vulnerability and the largest single attack vector used in breaches, hence other alternatives such as password-less authentication, PKI (Public Key Infrastructure) and biometrics are gaining support. Microsoft has recently announced that password-less capabilities in Azure Active Directory are now running as a public preview. Digital certificates are increasingly replacing passwords on devices, which again makes a case for PKI. Traditional user-controlled passwords are not only insecure by today’s standards, they also cost organisations (and their IT departments) vast sums of money to support. The sooner the physical security industry catches up with these trends, the safer we will all be.

Julie Brown Johnson Controls, Inc.

Many facility managers and owners are moving toward a multi-faceted hands-off approach to security systems. This is due to many reasons, but among them, passwords are easy to hack and are not as sophisticated as other solutions, like biometrics. Healthcare facilities have advanced beyond traditional password methods and have prioritised implementing biometrics, including facial recognition, as a powerful addition to access control strategies. Instead of taking time to enter a keycode or using an access control badge, a camera recognises personnel and the door opens automatically. Unlike a password, facial characteristics cannot be shared or forgotten, protecting sensitive data in case of a cyber-attack. In addition to the security benefits of facial recognition, healthcare facilities can realise other unique benefits including less risk for healthcare acquired infections. Frictionless security reduces the number of touch points that can transfer harmful infections.

Just thinking of new passwords that we can remember easily is a source of stress in today's workforce, given the higher number of password-protected systems and requirements to change passwords on a periodic basis. Eliminating default and easily guessable passwords is one of the simplest elements of cybersecurity, avoiding unauthorised access to IP video cameras, for example. The tide has now shifted with more manufacturers and integrators taking seriously the issue of passwords. In California, the Information Privacy: Connected Devices bill requires electronics manufacturers to equip Internet of Things devices with “reasonable” security features – no more passwords such as “admin,” “password,” or “1234.” Although fingerprint scans and other biometrics offer an alternative to password protection, it appears we will all be memorialising our pet names and birth dates in our passwords for years to come.

Editor Summary

Password protection is a basic cybersecurity element of many systems, including those in the physical security industry, and it seems likely it will remain so in the foreseeable future. Still, as our Expert Panel Roundtable point out, there are some newer, more secure alternatives on the horizon. How soon they will replace passwords is an open question.