Kill the Password

This week I would like to draw readers’ attention to an article that appeared in Wired at the end of last year. Written by Mat Honan and entitled Kill the Password: Why a String of Characters Can’t Protect Us Anymore, it makes for really interesting and alarming reading.

The author starts by explaining that he lost all of his digital life last year as his accounts were hacked, an event that lead him into investigating online security and how it is breached.

What he discovered is not for the faint hearted. The linking together of different accounts using an email as username means that any seriously interested party with a little time on their hands and very little money can relatively easily get into a single account, and from there into the others.

His conclusion is that the culture of using passwords for security is outdated, a thing of the past and that anyone who tells you otherwise is either deluded or trying to convince you of something that is not true.

The worst password choices

Worst passwords of 2012

The availability of information is a problem because of the personal question access to resetting your password. Mother’s maiden name, place born etc. are easy things to find out about anybody through ancestry sites or other documents. Once you have somebody’s email address, you try to reset the password using the personal questions through the provider’s website. The answers might be on Facebook, or on their blog, or maybe intuitive, but they are out there.

Then to the customer services rep that you speak to by phone. They are people and can be misled. The article contains a transcription of a conversation between a hacker and one of these people. As the user needs to be able to reset the password they are offered a series of questions that get easier and easier to guess. Names of best friends is possible using Facebook or other social network publications, but if not try favourite food or others, but the example given is name of one of the files in the account. Try Google, Amazon, Personal, one will be right.

So the problem is that the system needs to be flexible and easy enough to use, so we must be able to easily change our passwords, but this makes security impossible.

How can this problem be addressed? Here the trade off is privacy. If the company knows you, through your search histories, places you have been, where you work and what you like to do they might better be able to tell if the password reset-er is you, but you lose any privacy you think you might have.

Voice recognition can be tricked using recordings, biometrics and fingerprints too. Once a system uses these things that cannot be changed or reset the problem is magnified. If I have a fingerprint lifted from a screen I can use it to get anywhere and new fingers are hard to come by these days, so what do you use next?

The article poses these problems from the point of view of somebody who has been hacked, but the author also looks at who these hackers are and even meets a couple. It is big business in certain circles, particularly in the Russian speaking world where organized crime has a large stake and makes a lot of money through stealing identities and all that follows. In other circles they are just “kids” having some fun wreaking havoc.

There are a few simple strategies outlined in this (not short) article that are worth following but none are foolproof, and that is a lesson we could all learn from. Just a word of warning, it contains some harsh language.

On a lighter note happy new year to everyone, and my mum’s maiden name was Windsor (no relation to either Barbara or Elizabeth).

11 thoughts on “Kill the Password

  1. Christopher (admin team)

    I knew passwords were a little insecure, but for day to day use, I assumed they were safe enough. Maybe they can protect your account from your friends getting in, but if someone really means business and wants to get your info, it seems all to easy.

    Thanks for your mothers maiden name Jonny, remind me who you bank with? Only kidding! ;-)

  2. Great post, Jonny! So many people jump to the conclusion that biometrics like fingerprints or retinal scans are the solution. Only when you explain to them that the cost of having that security hacked is new fingers or eyes do they realize that maybe that isn’t the holy grail of security.

    It’s a complex issue and I’m very, very wary of common security solutions like Facebook login or authenticating via Twitter. It will be interesting to see what solutions are provided in the future.

    Cheers!
    –Sean

    • Christopher Roberts

      It does amaze me, how many people don’t even glance over a website/service before they authorise Facebook/Twitter to share their details with it!

      Welcome to Technology Bloggers community Sean, thanks for the comment :-)
      Christopher – Admin Team

  3. I hadn’t realized that my accounts were that vulnerable. Perhaps a made up nonsense word as the answer to the security question would be the way to go. Something that makes no sense at all, doesn’t connect to anything in real life, and that only would be known by me?

    Now I feel like changing all my passwords!

    • Christopher Roberts

      Jonny is very good at raising important issues like this Stephano, I highly recommend you follow his works – he posts weekly :-)

      You maybe don’t need to change all your passwords, but make sure the important ones, ones you would really worry about if something happened to them, are very secure.

      Thanks for the comment Stephano, welcome to our (Technology Bloggers) community!
      Christopher – Admin Team

Leave a Reply

You do not need to enter your name or email address. Your email address will not be published.

Email notifications of direct replies to your comment.

Current ye@r *