Whether verbally exchanged with a security guard to gain physical access to a room, or typed in conjunction with a user name to gain access to an IT resource, passwords have served us well for hundred of years.
However, recent security breaches have highlighted the inadequacy of passwords as a means of securing sensitive information and may prove to be the final nail in the coffin.
In early August, BTopenworld admitted that its helpdesk staff had allowed users to bypass security checks and gain passwords for other people's accounts.
More recently, at the Fort Hood army base in Texas, a security firm was able to access the networks of other military bases and civilian agencies including Nasa.
Incredibly in this case, where security should be paramount, access was gained because many users were choosing the word 'password' as their password. As well as damaging the reputation of the organisation, such employee negligence results in a lack of consumer confidence in the internet.
The idea seems simple enough: each person has their own password corresponding to their user name, and thus their privileges on the system. But, if we apply some security rules, it starts to get complicated.
Are users allowed to select their own password? Is the password complex enough that it cannot be guessed? Is it vulnerable to a dictionary attack? Is it changed regularly?
Nowadays, such issues are addressed by the network operating system and are relatively easy for administrators to implement, but there are still some issues that the operating system cannot address.
How do you prevent users from writing their passwords on a piece of paper? What happens when they forget their passwords? How do you ensure that the confidentiality of customer passwords is maintained?
It would seem that passwords are far too reliant on employees behaving responsibly, and human nature makes the whole system unreliable as a result.
These issues are tricky enough to manage on a closed enterprise network, but when your user community is an open internet-based group, you've got problems as illustrated by the examples above.
If organisations insist on using passwords, and for many small low security examples they may suffice, they must ensure that security policies are clearly communicated and that employees are educated on the implications of negligence.
Apart from the management issues, one could also question the strength of using user name/password as a security tool. Unless a password is over eight characters long with a combination of capitals and alphanumerics, it cannot be regarded as strong authentication and is not even adequate.
It all boils down to the fact that passwords are a single-factor method of authentication. If you have knowledge of the password, then you can impersonate the user.
Two-factor authentication requires possession of something as well as knowledge of the password or Pin, providing a much stronger form of authentication. There are many varieties of two-factor authentication including SecureID or Digipass.
However, the best solution to the problem of effective strong authentication lies in the use of Public Key technology and digital certificates.
Digital certificates provide a way of positively identifying users, and are inherently supported by many applications and platforms in general use today.
Most importantly, the use of digital certificates offers vastly simplified and therefore more cost-effective administration processes when dealing with large volumes of users, particularly when these include users other than an organisation's own staff.
Combining digital certificate-based strong authentication with appropriate access control and authorisation technologies ensures that the right people have the right privileges, protecting both the organisation's resources and reputation.
Digital certificates also provide control for revoking credentials in the event of a user moving or leaving an organisation. Revocation can be carried out by the individual themselves, or centrally by an administrator.
The provision of these credentials can also be integrated into identity management systems for the issuance of certificates, whether on smartcard, USB Token or mobile phone.
The cost and complexity of implementing and managing Public Key and digital certificate infrastructures are continuing to fall.
Such security systems are no longer a luxury restricted to large financial or governmental organisations but are fast becoming a realistic option for a wider number of organisations across all industry sectors.
As well as keeping networks secure, stronger security systems will protect the reputation of organisations and build trust in the internet.
IBM and Technical University of Munich team demonstrate how Shor's algorithm, which can't be cracked by conventional computers, can be solved quickly with quantum computing
Hubble Space Telescope finds superflares from young red dwarfs could strip away planetary atmosphere
Younger stars are 100 to 1,000 times more energetic than when they're older
Two of the big four supermarkets will use the system to control sales of restricted products
PUBG news and updates: November's Update #23 to bring new Skorpion pistol and changes to blue zone visibility
Genuinely useful side-arm coming to PUBG in Update #23