Computer and Library Learning (Archived)

The Password is Dead…Long Live the Password…

November 23, 2012 | John P. | Comments (0)

Mat Honan, of Wired Magazine and Wired.com, wrote a
landmark article on November 16, 2012 that suggested that passwords were
obsolete as a means of protecting one’s accounts and identity on the Internet.
To be fair, Mat Honan had his
accounts hacked earlier in 2012 and personally experienced what can happen
to someone and the frustrating attempts to regain control of one’s accounts. Honan
pointed out the weakness in how some people approach their accounts’ management
by using an email address as a “universal username”, thereby resulting in “a
single point of failure” that can be taken advantage of by hackers. Previously,
Honan had relayed his own experience with the takeover of his own My Apple,
Twitter, and Google/Gmail accounts, each with their own unique alphanumeric
passwords but nonetheless linked, thereby providing hackers with an entrance to
all three accounts.

Since his own unfortunate experience,
Mat Honan has researched online security with the verdict that digital lives are
too easy to break into with the all-important password being the weak link.
Gaining knowledge of an individual’s background can help a hacker to guess the
answers to security questions which provides a backdoor entrance into someone’s
account. Honan’s premise is that passwords were not a bad line of defence when
serving a limited number of applications. However, the strong password (long or
random character strings, for example) does not offer sufficient protection in
itself in our superconnected, cloud-based, computerized world. Passwords can
also be obtained from a password dump, cracked with some effort, stolen through
a keylogger, sending a phishing email purporting to be a legitimate website
requesting login information, or reset by fooling an organization’s customer
support department. Password reuse is a major problem, especially when
passwords are obtained through hacking.

In summary, Mat Honan recommended the following
DO NOTs: do not reuse passwords; do not use a dictionary word as your password;
do not use standard number substitutions as sophisticated cracking tools know
to look for this pattern; and, do not use short passwords but rather use the
longest possible password. Honan also recommended the following DOs: Enable
two-factor (or two-step) verification (whenever available); Give bogus answers
to security questions to throw off hackers; Use opt-out features on websites to
have billing and contact information removed; and, Use a secure, unique email
address for password recoveries only with a username not related to one’s real
name.

What do others have to say?

Around the time of Mat Honan’s hacking, Lisa
Myers of Intego: The Mac
Security Blog acknowledged
the importance of having a strong password but not as a security end in
itself: One needs to know what to do to recover from a disastrous data loss
event, how to protect oneself from such an attack in the future, and
determining the likelihood of such an attack happening to oneself. In addition
to backing up data, Ms. Myers recommended that one should encrypt as much
online data as possible; use two-factor authentication as much as possible; use
an email address not known to others; and, weigh the need for (as well as the
benefits and risks of) linking various accounts.

Whitson Gordon and Melanie Pinola wrote on Lifehacker.com that what
happened to Mat Honan was less hacking and more social engineering to
manipulate customer support staff by providing a limited amount of accessible
information such as an email address, billing address, and the last 4 numbers
of a credit card. Similarly, Gordon and Pinola recommended measures such as:
backing up data; improving password recovery options; enabling two-factor
authentication; using strong but different passwords for each account; and,
auditing potentially insecure services and limit access to more secure
accounts.

Mat Honan saw the future of online
identity verification as multifaceted in which passwords play a role but not
the only role. Honan argued that real identity verification is the key with a
potential trade-off on privacy through the tracking of metrics and movements.
On this key point, even some Honan sympathizers disagreed with Honan such as John Fontana of Identity Matters from zdnet.com . Fontana postulated that end-users
would be in control of personal, identifiable attributes that could be
accessed or authorized by trusted sources as required.

The last chapter on the importance and use of
passwords has by no means being written yet. What do you think about passwords
and their role in protecting online accounts?

For your information, here is a list of
other blog posts that might be of interest regarding passwords:

Norton Cybercrime Report 2012: Where Does Canada Fit In?

Microsoft is Replacing Hotmail: What is the Outlook for
Gmail and Yahoo?

The Battle with Botnets Continues…

How Safe are Your Online Passwords?

Do you have a good password? (Part 1)

Facebook versus Ramnit Worm

Cyber Attacks and Shady Rats

Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

About this Blog

Recent Posts in Computer and Library Learning (Archived)

Categories

Archives