The perils of passwords

Kill the Password: Why a String of Characters Can’t Protect Us Anymore
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

Yes, a long article, but one well worth reading for anyone reading this (since you clearly are on-line and thus have an on-line presence to protect and defend). As mentioned in the article the problem is that humans are silly creatures that want maximum security and maximum convenience, two things that are mutually incompatible. Because humans are such credulous creatures they generally want to believe lies that match their fantasies, so when told that adding numbers, upper case and lower case characters and special characters to their passwords they figure they have done their civic duty and are free to move about the Internet. However, as explained in detail in the article (really, you should take the time to read it!), it doesn’t matter how complex and unguessable your password is when it can be trivially reset to anything a hacker wants. Because so damn many people forget their passwords (one of my 401K sites insists in changing passwords every quarter, or _exactly_ every time I access the damn site!) the password reset has to be trivial or any company would go bankrupt from the customer service nightmare. Of course, it is no more challenging to ‘defeat’ a human ‘powered’ password reset system than a computer-based system. If the customer support people weren’t helpful, they would be fired!

Is there a feasible system? Well, the traditional way to secure something is via three factor authentication: something you are, something you know and something you have. For example, finger prints or iris scan, password/pin and a security token such as a smart card. It is still possible for a determined attacker to overcome these hurdles (it is actually remarkably simple to fake fingerprint scanners and I have read stories that iris scanners are also fairly simple to defeat; passwords/pins, of course, are trivial to guess and you can steal a smart card without too much difficulty, though it does preclude a remote-only attack), but you substantially raise the bar and make wholesale hijack of information extremely difficult. People, of course, generally won’t put up with those sorts of constraints (they always lose stuff, first of all), so prefer the lie that passwords will protect them if they just don’t use ‘password’.

This is something that will eventually need to be overcome, but I don’t think it is feasible to predict what will be the successful path. Governments don’t really want strong authentication/encryption because that weakens their ability to snoop information, so in one sense the criminals and governments are on the same page and work toward the same goals. There is also the incredibly huge amount of money involved (8 _billion_ people!) so there will be endless attempts of the oligarchy attempting to game the system, so I see a very long time while we are insecure because we (as a human population and society) are too lazy to insist on something robust and there is just too many stakeholders with competing interests for the market to produce a single product. Look at how long the Blue Ray vs HD DVD war lasted and the previous one between Betamax and VHS (and what won in that case was the crappier VHS). Plan on being insecure for _at least_ a decade longer, likely two, unless you want to take on your own efforts to be secure and hugely complicating your life.

Of course, for the clever, there is a huge potential market to tap if they could somehow convince the world to adopt some solution they thought of. It would have to be open source and freely adoptable to have any chance, which makes revenue generation more than a little bit challenging, but I can see some sort of multi-factor authentication process via a smart phone or equivalent to be the way forward, but just thinking about the FUD that would be thrown at such an attempt exhausts me. There are all sorts of ideas I haven’t bothered to pursue because of what I perceive as the huge hurdles to overcome either via NIMBY (not in my back yard), consumer acceptance or unfair competition from current companies. One of the reasons I pretty much focus exclusively on coming up with novel ideas that solve problems in ways that wouldn’t have any competition.

Anyway, read the article so you know how vulnerable you are. Then, either follow some of the tips to make yourself much less insecure (but still not secure, but then security is all relative) or realize that you are only surviving by being obscure and ensure you never rise to the level of being interested to hackers.

Author: Tfoui

He who spews forth data that could be construed as information...