Last June, 6.5 million Linked-In passwords were stolen by hackers and posted online. eHarmony lost 1.5 million passwords; Yahoo Voice another 450,000. Among the most common passwords used: 123456, welcome, and the ever popular “password.”
The problem isn’t that these sites should have done a better job protecting user data (though they should have). It’s not that their users chose passwords that were too easy to crack and then recycled the same ones for every site (though they did).
The problem is that passwords suck.
“To use the Net these days you have to have dozens of passwords and logins,” notes Terry Hartmann, vice president of global security solutions for Unisys. “Every time you go back to a site it feels like they’ve introduced new rules to make passwords more complex. Eventually, users revert to using one password for everything.”
In short: The password system is broken, and cyber criminals are taking full advantage.
Of course, all is not lost. There are things you can do, like use software to store and manage your passwords. There are things that sites can do, like requiring multi-factor authentication or biometrics to identify users. Even the Federal government is trying to do something about it. But the password problem isn’t going away any time soon.
Password management programs are like spam filters — boring but essential tools for managing your digital life. A good password manager not only remembers all your logins, it can replace the simple passwords you’ve chosen with complex ones and let you quickly change them if a site’s been hacked.
The best part: Instead of having to remember dozens of unique passwords, you have to remember just one – the master password for your vault. And unless you always log on from the same machine and same browser (in which case you probably are reading this on an AOL dialup connection), you’ll want a cloud-based program like LastPass, 1Password, or Roboform that can apply your logins to any PC, phone, or tablet you use.
The downside: You still have that one password to remember. If an attacker has managed to plant a keylogger onto your system, he or she also has that password, notes Robert Siciliano, an online security expert for McAfee who uses a password vault to store more than 700 logins.
And if a cloud-based password vault is hacked – as LastPass was in May 2011 — it could be game over. Fortunately for LastPass customers, no sensitive information was breached. The next time, though, users might not be so lucky.
So even complex passwords stored in an encrypted vault still aren’t enough. For added security some sites rely on additional factors to identify users, typically something users have in their possession. Even if attackers have your password, they’d still need the other factors to access your stuff.
Financial institutions are required by law to use multiple factors when handling online transactions, but they may do it in the background by authenticating your machine or its location, says Siciliano. If you live in San Francisco and someone in Shanghai is attempting to access your account, for example, that transaction may be blocked, or that person may be required to provide an additional factor by answering a security question, identifying an image, or entering a number sent to a device provided by the bank.
Google and Facebook now offer two-factor authentication as an option; you can have them send a temporary PIN to your cell phone whenever you log in from an unfamiliar machine, which you must provide along with your password when you log on.
But aside from banks and a handful of big sites, multifactor authentication is still not widely used, in part because it’s less convenient. And, of course, it still typically employs a password (which sucks).
“Two-factor authentication doesn’t always pass the grandma test,” says Siciliano. “That means more support calls, more password resets, and higher costs. That’s why it’s typically only used by companies with a lot to lose.”
The beauty of biometrics is there’s nothing to remember. Fingerprints, voice and facial recognition, iris scans – there are dozens of physical characteristics unique to your body that can be used to identify you. Unisys’s Hartmann says major banks are piloting biometric identification systems now, and expects them to begin rolling out next year. Apple’s recent $360 million acquisition of AuthenTec, maker of fingerprint scanning technology, suggests that some form of biometric identification may be built into future Apple products.
But biometrics has its own problems. Fingerprint scanners have been gamed by gummy bears; facial recognition systems have been fooled by photographs. At last July’s BlackHat conference, security researchers demonstrated a way to trick iris scanners by reverse engineering the image data.
Biometrics stored in a central database can become the target of hackers, who could steal identities by substituting their own biometric data in place of their victims. As with passwords and other personally identifiable information, biometric security would depend entirely on whoever is storing the data (we all know how well that worked at LinkedIn).
Requiring biometrics at login could make anonymity difficult if not impossible for political dissidents, whistleblowers, or people who inhabit multiple identities for personal or professional reasons. Fears over Minority Report-style government surveillance also give many consumers pause.
Despite all that, Joseph Pritikin, director of product marketing at AOptix Technologies, a maker of iris scanners deployed at airports and border crossings, predicts smartphones employing biometrics will be one of the key identification devices of the future, in part because the data can be stored securely on the device itself.
“It will be a combination of something I am and something I have, most likely a smart phone,” he says. “Their hardware-based encryption would be difficult to compromise.”
One ID to rule them all
The ultimate goal is to replace the seemingly infinite number of passwords for a single online identity. Which is why in April 2011 the Obama Administration launched a public-private initiative, the National Strategy for Trusted Identities in Cyberspace, to develop an identity ecosystem that would allow consumers to use any verification system and have it work seamlessly across any site.
Such a system would be able to verify that you’re old enough to buy wine online or that you qualify for a student discount, without necessarily sharing all your personal information with each site, says Jim Fenton, Chief Security Specialist for OneID, an Internet identity management system. And it would allow you to operate pseudonymously, if you chose.
But the wheels of government churn slowly. Last month [August 2012] the NTSIC’s steering committee held its first meeting. Among the issues it will eventually have to tackle are how much information is shared between parties and how much control consumers will have over that information, says Fenton, a member of the steering committee’s privacy group.
In other words, help is on the way, but it won’t get here soon. In the meantime, we’re stuck with passwords. And that sucks.
This article originally appeared in a different form on PCworld.com.
Cool graphic courtesy of GeekBeat.tv.