Passwords Are Passé – Unless You’re a Hacker

Posted on May 29th, 2014 by Dan Rampe

Passwords

Passwords are passé. Finito. Kaput. Toast. That’s one of the takeaways from the eBay breach that placed roughly 145 million accounts at the tender mercies of cybercriminals.

Jon Xavier, the Silicon Valley Business Journal’s technology reporter, says the eBay breach has demonstrated “the era of the password is over.” In his article, Xavier touches on the history of the password when passwords on the Internet made sense, to today when they deflect criminal activity about as well as a “do not disturb” sign. The following has been edited to fit our format. You can find the complete article by clicking on this link.

Passwords were never intended to be the monster they’ve become. They were never THAT secure — human nature and the fallibility of memory meant that most people chose stuff that was easily guessed. Yet in the early days of computing, that was OK. The fact that you had to actually physically get to the mainframe where the data was stored provided another layer of security, and that was good enough in the era before everything was connected.

The Internet changed that, of course, but websites adopted the password because it was what they had, and it was still good enough. Some of the smarter sites started requiring your password be a minimum length and contain letters and numbers, but that was more an effort to save you from yourself than a real increase in security. Despite that, lame passwords like “letmein” and “password123” proliferated.

Again, it was OK. The Internet was just this oddity that people used to host fansites for boy bands and share proto-memes like The Hampster Dance or videos of guys wielding golf ball retrievers like light sabers. Nobody hacked websites because there was nothing much there to hack — until suddenly, there was.

The old joke goes that the No. 1 reason criminals rob banks is because that’s where the money is. E-commerce, and to a lesser extent social media, did that for the Internet. Now that websites were storing credit card numbers as well as a whole trove of useful information about their users, suddenly they had something worth stealing.

The breaches got more sophisticated as more sophisticated hackers turned to compromising websites. The tools got more sophisticated, too. Now we’ve reached a point where even very long passwords aren’t especially safe so long as they’re based around words in the dictionary, because hackers program their hacking utilities to look for patterns that mimic language, drastically reducing the time and effort it takes to crack a password. We’ve reached a point where computing power is cheaply available in the cloud, making brute force hacks that would have been hard to do even three years ago suddenly viable.

And passwords have gotten, what? Not more secure, certainly. Again, the smarter website operators have pushed for longer passwords, passwords with special characters, with caps, that don’t use common dictionary words. Passwords that are hard to remember, in other words.

And even still, this is more the appearance of security than actual security. People still use “password” as their password, they just replace the a and the o with a 4 and a 0, tacked an ampersand onto the end and call it a day.

It’s pretty clear: we need to move beyond passwords as a primary security standard on the Web. What we move onto isn’t as clear.

Password services like LastPass and Keepass, which generate very strong passwords and then enter them automatically for you, seemed like an early favorite. But those work best when you’re only accessing the Web from a single device, whereas today we have many — PC, laptop, work computer, tablet, smartphone, etc.

And what does one do once more of the objects in their home come online as a part of the Internet of Things? It’s not a use case those services are adjusted for yet.

Two factor identification, which uses a password in addition to a verification from another device, such as by entering a code texted to one’s cell phone, are a more recent stab at the problem and probably a more comprehensive one.

But they’re not yet offered by all websites (and I ask, Why not?). Not only that, but they work best on PCs. What happens when you primarily access the Web through the same phone that is supposed to receive the verifying text message, a device that is prone to being lost or stolen?

Most recently, we’ve seen the first forays into using biometric data to unlock data, such as through the new fingerprint scanners on the latest iPhone. That’s potentially a much better successor to the password: You don’t have to remember your biometric login, and biometric data is at least potentially much more difficult to crack.

But it also raises some worrying questions: Who stores that biometric info about a person? How do they secure it? Do we REALLY want them to have that much data about us?

There’s not a clear answer here. But one thing is for sure: We do need to fix this. Passwords were long ago outgrown by the security needs they were supposed to address. We can keep changing them all we want (and given that these breaches keep happening, we probably will), but until a viable alternative is found, no login will ever truly be secure.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.