Why passwords are no longer fit for purpose in today’s world
In a world where there are two types of companies: those who have been hacked, and those who don’t know they’ve been hacked, how is it possible to stay secure?
In many ways security is fundamentally about identification. Some information on the web is for your eyes only: your email, bank account and cloud file storage. Yet whilst this need for identification has been in existence since the dawn of time, the digital age has presented many unique identification challenges. How can a computer really check that you are who you say you are?
There were 16.6 Million Victims to identity theft in the US 2014
If computers are fooled into making an incorrect identification decision there can be serious consequences. Last year in the US, 16.6 million people were the victims of identify theft. Collectively, as a result of this impersonation, $18 billion was stolen (Javelin Strategy and Research) — not to mention the data and personal information that was leaked in the process. Industrial secrets, precious family photos and live footage from private camera are now susceptible to unauthorized access.
Since the beginning of the digital age the issue of identification has plagued social networks, dating services and any sort of online sites. But despite these challenges, passwords have emerged the de facto way of identifying ourselves online. At Decoded, we believe that this era is coming to an end: passwords are morphing into altogether more human methods of identification.
Passwords are the weakest link in your companies’ cyber security
Since ancient times, passwords have been used as a simple and effective method of identification. Originally used in the military; passwords could determine whether you were friend or foe. The concept of a password made its way into computing in 1961 at MIT and since then the technology behind passwords has remained broadly static. Whilst simple, there is an inherent weakness with passwords — they are almost always user defined. A four digit passcode — simple and easy enough for humans to remember and use conveniently — has a maximum of 10,000 possibilities and can be cracked by a computer in a matter of seconds. In fact, a study by Data Genetics found that 10% of pin numbers can be cracked by using “1234” and 28% of passwords can be cracked by trying the top 20 combinations. For passwords to be truly secure, something like tsHhd64$82£acDf needs to be selected.
This password would take a desktop computer 24 quadrillion years to crack — compared with dictionary words like “keepsake” which would take 52 seconds for a desktop computer to crack. You can check how secure a password might be using a service called “How Secure is My Password”. When used correctly, passwords can be a successful way of identifying an individual. In reality, though, security is constantly up against convenience. It can be hard to convince users to choose secure passwords, especially when the costs can often be felt more acutely by businesses and governments than the users themselves. Usually the easiest way to crack a password is to try a dictionary of words and then to “brute force” the password — that is, to try every possible password that might exist. In
hacking circles it is often said that obtaining a username is 50% of the battle — once you know who you’re trying to attack it becomes much easier to guess their password.
Some of the most famous hacks have happened as a result of this method. The iCloud hack, where photos of celebrities — along with huge amounts of other sensitive data — were leaked, was most likely a result of hackers guessing every possible password for particular email addresses.
Sometimes hackers don’t even need to guess passwords, because they are blank or aren’t changed from popular defaults“0000,” “changemenow,” or “password”. Last year, two 14-year olds hacked an ATM by reading an operators manual and typing in the default administrator password.
In a similar way, Gary McKinnon hacked into 97 Pentagon computer systems in 2002 by searching for computers where the password was either blank or set to a default. Even the phone hacking scandal in the UK, which led to swathes of celebrities and public figures having confidential
information leaked was a result of default voicemail passwords not being changed.
One password to rule them all
A single password might be more secure than hundreds put together
One of the major inconveniences with passwords is the number of sites that require you to create one. Websites from banks to florists will ask you to input a username and password, and whilst best practice security is to invent a new password for each site, this often simply isn’t realistic.
The presence of many passwords over multiple sites can result in disastrous consequences. At the end of 2013 a data breach at Adobe resulted in 150 million usernames and passwords being released. This shouldn’t usually be a problem (by law companies must encrypt customer data), but Adobe used the same encryption technique and key for every password. This meant that if a hacker was, along with a user’s password hint, able to crack a user with the same password as you, then they’d be able crack your password too.
150 Million of passwords were released after the data breach at Adobe in 2013
The Adobe leak was intensified by that fact that people tend to use the same password across multiple sites. A study by Ofcom, the UK communications watchdog, found that 55% of UK adults use the same password for most websites that they log in to. This means that it’s very likely that if your password was on the Adobe list, a hacker has access not only to your Adobe account, but to your email, bank account and any other service you care to mention. A website called “Have I been Pwned” has kept a record of the leak, and you can use it to discover if your email address was on the list leaked. These challenges have resulted in a huge amount of password security innovation in the last few years. Companies like LastPass and 1Password are services that can be used to store all of your passwords behind one, strong, master password. Extensions in your browser and apps on your phone can then autofill sites with unique and complex passwords, meaning that if one site gets hacked then the breach will be limited. However, password managers face a similar issue with the master password: how do you persuade users to select a strong password?
Why multi-factor is killing passwords
Some of the most secure methods of authentication don’t use passwords at all. The finance industry has been quick to adopt technologies to replace and compliment password inputs (think of your online banking “dongle”). At the end of last year, Barclays introduced biometric scanners to identify users logging into their online banking. Using Hitachi’s Finger Vein Authentication Technology the exact make up of a users’ veins could be read offering a more accurate and quicker version of fingerprint scanners that have been used for decades (most famously on Apple’s Touch ID, often credited with accelerating biometric authentication into the mainstream). In a similar way, Halifax have been trialing heart monitoring bands to achieve a similar result. Whilst these physical methods of identification are much more accurate than passwords, they can sometimes be impractical.
One of the most common methods of identification beyond just a password is through the use of a physical device you have with you all the time: your phone. By using “two-factor authentication” you generate, (or are sent by SMS or email) a unique number, which is then authenticated by the service you want to use. The combination of your password and a physical device means that a would-be hacker has to possess your device, and your password to access your account. Many organisations have adopted two-factor authentication (sadly, as with Slack, the business messaging tool, the adoption comes after a major hack), and a website called Two Factor Auth tracks the adoption rate.
Towards a world without passwords
Security experts everywhere are quick to admit that passwords are simply not enough to guarantee security in today’s world. At Decoded, we believe that it is only a matter of time before passwords are phased out from common use. Whilst the financial sector has led the way with innovative authentication methodologies, industries like retail (where most hacks happen), still have some work to do. For businesses around the world, we believe that security is done best when the latest technology is embraced.
By adopting a hacker mindset, traditional companies are fundamentally changing centuries old security, starting first with deep levels of cultural change within their business. Banks are incubating security start ups in cities from Vilnius to Vienna — and we believe that this radical thinking is desperately needed in every industry. From new multi-factor authentication, to quantum-computing encryption, we believe the key to a secure future is a complete reassessment and overhaul of security systems that are no longer fit for purpose.
Want to learn more?
Join one of Decoded’s Hacker_in_a_Day sessions
The 2014 Identity Fraud Study (Javelin Strategy and Research, 2014) PIN analysis (Data Genetics, 2012) Two Dudes Prove How Easy It Is to Hack ATMs for Free Cash (Wired, 2014) Interview with Gary McKinnon, (Wired, 2006) Over 150 Million Breached Records from Adobe Hack Surface (The Verge, 2013) UK adults taking online password security risks (Ofcom, 2013) Barclays taps vein biometrics in bank fraud fight (Reuters, 2014)