A claimed 427 million passwords from a 2013 Myspace hack were just put up for sale. Another 117 million LinkedIn password/email combinations were made available for sale on a dark net site in May, four years after that site was hacked.
People use terrible passwords all the time that make their login credentials easy to crack. When a crook steals a person’s LinkedIn password, chances are they have the passwords to that person’s other accounts too, because so many people reuse them across multiple sites. Even Zuckerberg does it.
Password thefts have become so frequent that they even have their own websites. HaveIbeenpwned.com, which collects and lists email addresses compromised by password hacks, lets you search for your email address to see whether your password is among the fallen. Leakedsource.com does the same thing.
Searching these sites to find you’ve been compromised leaves you a little late to the party, though. It’s time to change the system.
2FA? Not so fast
Two-factor authentication — putting something you know (a password or PIN) with something you own (like a smartphone, say) has its own problems. It’s supposed to make authentication more secure by preventing hackers from using stolen passwords.
So why did Black Lives Matter activist DeRay McKesson have his Twitter account taken over, even though he used his phone for two-factor authentication? The hijacker called Verizon, pretended to be him, and changed his SIM card.
No wonder, then, that NIST has just updated its recommendations for authentication, and wants to phase out SMS as a two-factor authentication mechanism in future guidance. This means we have to refine our approach to authentication even further.
2FA is still alive and well. We can use dedicated 2FA apps, like Google Authenticator, which means we can still rely on our smartphones and don’t need to use hardware tokens. Now, though, there are other options emerging — some are being tested by commercial vendors, while some are in academic labs.
The obvious one is biometrics. We’ve already seen fingerprint readers on Apple and Android devices, and Microsoft tried some iris recognition in Windows phones before canning its manufacturing operation. These work well, but they restrict access to a certain device, leaving laptop and desktop users stranded.
Google has been testing password-free, SMS-free access that has users enter their email address while logging into their account, and then tapping a sign-in notification on their phone. This at least makes it possible to access a website or software app on a non-phone, non-mobile platform.
This seems to be a stepping-stone on the way to a far broader revamp of its authentication mechanisms, though. The firm’s Project Abacus uses a variety of biometric and behavioural inputs, including not only your login location, but also the pattern and speed of your typing, and even voice patterns and facial recognition.
The system, which is always running in the background on your phone, collects data about you all the time and uses it to build a trust score. This can then be evaluated by the service that you’re trying to access. Your online bank account may require a higher trust score than your Pokemon Go account, for example.
This represents a significant shift, because it moves us to a probabilistic, rather than a deterministic, approach, which reflects the true nature of risk. Zeroing out risk is impossible. There are simply degrees of risk, and levels of acceptability.
The password promoted a binary ‘secure/insecure’ operating model that never existed in the real world. Put a stake through its heart, enclose it in a lead box, bury it a mile underground, put up ‘no go’ signs around the area and then protect it with deadly lasers. The password is a thing of the past.
So why are we still using it?
Illustration courtesy Mark Glucki/Wonderlab Media