There's a tendency in the security field to always want to look at the impossible security problem, rather than actually solve easy security problems. Some examples:
- Single Sign-on: rather than look at how to enable the use of fewer passwords, the security world chases the impossible - getting down to a single password. In reality, most users have no problem remember 3 or 4 passwords.
- Strong Authentication: rather than look at simple replacements for reusable passwords, the security industry focuses on the most expensive, complex solutions possible - smart cards and biometrics. Good enough approaches (like password generator tokens or simple grid cards) are pooh-poohed: "Well, new attacks will just go right around thoses."
- Unbreakable encyrption: its fun to point out how encryption can be broken but the simple truth is that it almost never is
This attitude is the old guru syndrome - if the problem becomes simple, the gurus have to get out of the way. It will change rapidly now that the Microsofts and Ciscos of the world are getting into security. The security industry will either become relevant to real life day to day security issues or only be remembered as Malthusian nattering nabobs of negativism.
Comments