Is the password system broken?
Large data breaches in recent years have lead to millions of accounts being hacked and personal information being shared (take a look at World’s Biggest Data Breaches for a visual representation): the Yahoo! hack in 2013 resulted in more than one billion user account credentials being stolen.
Often, compromised security and theft of username and password information can lead to more than just one of your online accounts being compromised. Matt Honan has written at length about his experience of being “epically hacked”, where in the space of an hour his Google account was deleted, his Twitter account taken over and his AppleID account broken into, resulting in the data being deleted from his iPhone, iPad and MacBook.
Hackers will often exploit weaknesses in security systems to access information. For example, in the iCloud leak of celebrity photos in 2014, hackers may have taken advantage of a flaw in the application interface which permitted unlimited attempts to guess passwords. Could companies do more, then, to protect our information?
Encryption and adding layers of security to applications can obviously help, but the major flaws undermining everything else are the limitations of human memory, our collective lack of understanding regarding what factors make a password secure, and our lack of patience. More often than not, though, as Tom Smith said at the start of this activity, we will give our information away through phishing emails and poor personal information security like using the same weak password for every account. We might try to come up with more, but, in our modern, busy lives, who of us can remember a hundred and one different and adequately complex passwords?
Even those of us who should or do have a high level of awareness and understanding of information security will still fall prey to laziness. I’m currently trying to use two-step authentication to keep my accounts more secure, but I hate it when I have gone to deliver a workshop and then realise I have forgotten to pick up my phone from my desk, so I then need to head back to the office to collect it in order that I can receive the text message containing the additional one-use code that I need to employ to access my account. It’s times like this that there is a very compelling temptation to switch the two-step authentication off!
The current password system relies too much on our memory and our patience; and on the everyday person who isn’t trained to think about information security all day. We might therefore say that the current passwords system is broken.
So how are hackers exploiting security flaws and human errors?
You may be surprised to hear that hackers aren’t necessary using complicated coding to hack into account. Yes, sometimes large scale attack will take place using programs to attack security flaws, but often passwords can be guessed through social engineering: using the information you share online. For some stark examples, take a look at this article by Kevin Roose where he exploits the digital literacies of hackers to highlight security risks (the kind of thing we saw Darren Reed talking about earlier this week).
Norton provide some useful information about the different ways that hackers hack into your passwords, summarised below:
Social engineering: the use of information lifted from your social media to gather answers to your security questions… things like, the school you went to, your pet’s name, when you got married, when it’s your birthday, your favourite band… Hackers can gain access to all this information and use it to answer your security questions and guess your passwords.
Dictionary attacks: using programs that cycle through a predetermined list of common words often used in passwords. If you are using Password1 as the password for your account then what did you think was going to happen?! To better protect your accounts from dictionary attacks, avoid using common words and phrases in your passwords, or avoid recognisable words altogether.
Password crackers: programs used to crack passwords by brute force, repeatedly trying millions of combinations of characters, until your password is detected. Shorter and less complex passwords are quicker to guess for the program. Longer, more complicated passwords take exponentially longer to guess, so the longer and weirder the better!
But if we’re creating lengthy and complex passwords, how can we hope to remember them? Mnemonics can only get us so far. We could potentially use some form of encrypted password management software, but vulnerabilities apply there too: guessing one password will give the hacker access to all of your passwords! Still, it should be more secure than using the same password(s) for everything, because there’s only a single point of failure (the password manager) rather than multiple points of failure (every account you own). Whatever method you choose to use, a set of complicated but securely stored passwords should be far more secure than several easily memorable passwords, if only because they’ll be considerably less guessable.
© University of York (author: Susan Halfpenny)