by Brian Kelley
Password panic has hit an all-time high: Yahoo email servers were spied on for years, Target exposed millions of customers’ credit and debit card numbers, and politicians mucked up our politics, all because someone locked their email accounts with weak credentials. The common thread in all of these major hacks is one simple and glaring flaw: a weak password.
These unwanted intrusions are common and only getting more frequent. It’s also notoriously difficult to police as well. Hacking is a highly skilled crime, and most law enforcement authorities don’t have the expertise or jurisdiction to track and arrest them.
It’s becoming a substantial business expense too: The price of just one security breach averages four million dollars and the overall damage is bad enough for Internet authorities to take action. The National Institute of Standards and Technology (NIST), the information technology wing of the US government, is experimenting and weighing the benefits of multiple passwordless methods of access control.
Since it seems problem will never completely disappear, cyber security is just a part of doing business online. But how do we make accounts truly secure again
Weak passwords are worthless; strong passwords are forgettable
Let’s accept that the word ‘password’ for a password is wrong for many reasons. But statistics tend to show that many people opt for convenience over security every time. Beefing up your online banking password seems like a no-brainer, but rarely is the same consideration extended to a social media account or any of the other dozen services that require usernames and passwords.
Unfortunately, heavy security for some accounts and “light” security for others doesn’t exist. There are enough identifying threads throughout all of your accounts online that can be connected and ultimately compromised. In this case, the username is the most damaging element of the login process. Your username is essentially your online identity, and worse, it usually stays the same throughout multiple accounts. A breach in one of them means the perpetrator is a few steps away from breaking into more.
Username and password data is out of your control
Even the most thorough security habits can be meaningless if the hackers breach the database with all the passwords. The primary reason to frequently change passwords rests on the fact that you can’t control the data you give to companies and services.
Password resetting and recovery create way more problems than it solves. Because of server side breaches that realistically no one can predict, changing passwords is essential to close the security gap. Unfortunately, the same process can be turned against the user and lock them out if the hacker is smart enough.
The grim reality is that database breaches are not even close to being under control. The scope and damage of stolen user credentials have only increased over time. As of right now, the only real defense against this is backing it up with additional factors of authentication, and a reset after the next inevitable security event.
Stolen passwords open the door to malware
It’s a vicious cycle: Malware gets planted in databases because of stolen credentials, and in turn, more credentials are stolen by the malware. There’s no sign of these attacks slowing down either: The email accounts of Yahoo users were compromised yet again from a third breach.
Designed to be embedded in common files, common malware types such as worms and trojans go unnoticed. Once it’s in, it’s usually game over for any password without protection and backup. The tipping point has already come and gone. Data theft is automated and lucrative, while users are left to change their passwords manually.
Even password managers have to compensate for this eventuality. These programs promote complex passwords that aren’t easy to crack, but you’ll still have to change the credentials inside to counter unavoidable network attacks.
These attacks expose the critical weakness of passwords: Anything set and determined by a human will always be vulnerable to the resourcefulness of other humans.
Human readable credentials (HRC) will always be vulnerable to human ingenuity
The encryption process behind it all isn’t the problem — properly applied encryption almost never fails. But securing it with a weak passphrase invalidates that vital cryptography. Hackers rarely stage a successful attack on encrypted data because the password is easier to get. HRCs will always be susceptible to hackers due to their inherent lack of complexity.
To make passwords work, they require the kind of vigilance that adds up to a lot of wasted time. No one can easily remember random character strings, leaving a password manager as the most viable option.
That only covers the user too: There’s no cure-all to the passwords stored in commercial or governmental databases. The best passwords are useless when uncovered in a server-side breach. Ideally, NO one besides the user should know their password to keep it as safe as possible, but current systems don’t allow for that.
It’s past the point of defending HRC’s. It’s time start getting rid of them.
Trade in passwords for something better: Login in without them.
A lot of gadgets exist that circumvent the need for passwords. Security keys such as USB sticks or ID cards are common in high-security organizations but typically aren’t accessible to the public. However, security tokens can adapt to something ubiquitous: the smartphone.
