“You’re password will expire in 5 days. Would you like to change it now?"
Sound familiar? This annoying practice, which inevitably results in you simply incrementing the number at the end of your current password by one, really was meant to bolster security. The thing is passwords are really not the most effective way of securing data. Despite the fact that they seem a corner stone to the current security models, there really are much better solutions. Perhaps the way we understand security needs to change.
The problem begins with the fact that a human have to remember these passwords. This leads to passwords that are not secure, random, lengthy, or difficult to crack at all. Then there’s the presumption that your password is secret, and that it somehow confirms your identity. The whole point of security though is to establish identity, to shake hands. When you speak to someone in confidence there is a trust because you know whom you are speaking to. On the Internet it’s difficult for us, and the servers, to confirm with whom the data is flowing between.
Enter the world of Two-Factor Authentication. First making its appearance in corporate remote computing, then in increasingly difficult to secure Massively Multiplayer Online Games (MMOs), adds an extra step. When logging in, you need both your password, and a number - which is only valid for a minute or so. First there were key fobs, now most have applications for your smartphones. Those text messages that you get from your bank are a similar implementation of this model. Would be attackers will have a tough time even with the simplest of passwords with this additional layer of security. It’s far more unlikely that the same person with malicious intent, and skill, to gather your password, also happens to be able to lift your phone from you while you’re out on the town.
Two-Factor Authentication is no longer just for those wishing to thwart Chinese gold farmers on World of Warcraft (WOW), or corporate espionage. Google implemented Two-Factor Authentication a number of years ago, complete with both the text message solution, mobile apps for both Android and iOS, and backup codes for you to stash at home in case your phone is lost or stolen. I strongly encourage you to turn this on1! It’s requires a little bit of effort, but secures what is easily one of the most crucial parts of your personal data – your e-mail. If someone can gain access to your e-mail it’s literally a Pandora’s box… The ability to reset all of your passwords is just the start. In most cases all someone would need is access to your e-mail and the ability to answer some simple questions (using information which is most likely publicly available) to change your password and lock you out of your online world, with very real world complications.
Yet another piece of the puzzle are those ‘security’ questions we just talked about. Answering, “What is your mother’s maiden name?” may be the easiest way to get to the continue button, but it’s also the easiest way for someone with nefarious intent to gain access. There are many strategies for making these answers more secure, though I must admit these schemes seem a bit hard to adhere to, and leave one scared that they will be locked out of their account.
I’ve made several mentions of Blizzard’s security protocols and that is because they are presented with a very serious security problem. Play them or not, their massively multiplayer games are an important part of many peoples lives. So important in fact, it is a lucrative business for many oversees hackers to exploit customers’ accounts and sell them for real money. When someone has spent years building his or her account and then it is stolen and sold the highest bidder, people get upset. Aside from the authenticator and text messages, if you loose access to your account somehow, you will be sending blizzard your drivers license and various other information to confirm your identity before they let you back in. This is a painful, yet important piece of the puzzle. Resetting your password is often the weakest link in the chain. Don’t take my word for it, check out the eye opening hack of Matt Honan of Wired.
What’s the solution?
Well, for one, make every password you have completely unique, as long, complex, and random as possible… but how does that work when you have 100 different accounts? I’ve been using a solution called 1Password for a number of years. You can store your passwords all in one place, along with various other login information, secure notes, and personal data, using one overriding password. 1Password has the ability to store this in the cloud via an encrypted file, and has plugins for all the major browsers making it possible for you to have passwords so complex, even you don’t know them. This is a bit scary, I admit, but take the leap; your security is worth it. There are several alternatives of course, most notably LastPass – an open source solution with a very similar feature set. Each of these programs has generators to create completely unique and random passwords for you and recognize when you’re at a login screen, and fill in all the fields appropriately.
You’ve secured your passwords, enabled Two-factor Authentication wherever possible, what’s next? Encrypt your hard drive. OS X makes this incredibly simple. Just turn on File Vault, and if you’re worried about performance dings, don’t be. Especially with SSDs, it’s completely seamless. Many don’t realize how much is stored ‘in the clear’ on their hard drives. This becomes even more important for laptops, or any computer that is leaving your house. Unless your hard drive is encrypted, they won’t need to login to your computer to pull all your personal data off.
If you don’t have a password on your phone, or laptop you are insane - completely bonkers.
A password on your phone means, in most cases (e.g. iOS), that it is then encrypted. More importantly your phone has so much personal data, countless other accounts, not to mention unprotected access to your e-mail. Forget the time delay, make in instantly require a password! It may require a few extra milliseconds to respond to a text, but the security gains are far to great to ignore. Also, why people set their phone down without hitting the lock button is beyond me (I’m looking at you 40+ year old). The button is there for a reason; do yourself a favor and click it before you set it down or throw it in your purse. Your screen is the largest battery killer. I understand that it’s a bar phone, and you can’t flip it closed when you’re done, but the lock button performs the very same function. Press it. All the effort in the world wont make a bit of difference if they can just pick up your phone and take over your life.
All of the above are good solutions, but they certainly add an extra layer that most people fail to see the importance of. The trick is to make security easy. Consumers are inherently lazy, they don’t want another road block between them and what they want to get done. This is why Apple’s new iPhone 5s and its ﬁngerprint identity sensor is so important. Sure the tech has been around for a long time – I remember visiting the tanner and using my fingerprint back in ‘05, but making it easy to identify that you are who you say you are is a game changer. Especially because of the reach of their iPhones, Apple has the critical mass to make it work.
I hope it takes off. I hope an API is released allowing you to authenticate with all of your apps using the touch of your finger. Fingerprints are a fairly good biometric, worse than DNA, better than hand geometry. Biometrics are really just a more natural form of Two-Factor Authentication – no random number generator required.
The real solution would seem to be some encrypted key that is stored in your body; similar to PGP, but a biotech implementation. Forget wearable, I want implantable! Frankly, the lack of progress on that front is disappointing to me. Much like self driving cars, I fear the ‘creepy’ factor gets in the way of true innovation, simply because we’re not willing to think about things differently.
Things are getting better though. One of the most basic problems in security is obtaining a truly random number (the basis of all encryption schemes) – which is a surprisingly difficult task. Though quantum computing may seem like science fiction, Intel is now shipping a new, processor level, random number generator that your computer can call. It takes advantage of the on processor entropy source… Yes, I am talking about that shifty concept you learned about in physics. Essentially, we’re talking about the random emission of electrons, that the processor usually ignores, being used to generate random numbers at blazing fast speeds.
I’m still waiting for the stuff of science fiction to materialize. Considering that computers were invented inside the lifetime of some of societies’ oldest members, it’s difficult to speculate on where we’ll be in 50 years.