It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Over the past few years, there has been an ongoing never-ending deluge of data dumps. Though I’ve never had a business email address compromised, my favorite Gmail account joined the inner sanctum of ‘”;–have i been pwned?
” in late 2013. This hack was courtesy of the huge Adobe data breach that slapped down 153 million pwned accounts, consisting of internal IDs, usernames email addresses, encrypted passwords (not properly hashed and salted), and plain text password hints.
Four months later, in February 2014 the same Gmail address was compromised again at the Forbes website when hactivists from the Syrian Electronic Army compromised a Forbes WordPress admin account. The attack garnered usernames, email addresses, passwords, and user website URLs.
Your ISP is not immune from hackers either. In January, Time Warner Cable (TWC) suffered a data breach that may have affected up to 320,000 customers' email addresses and passwords. TalkTalk, a UK Internet service provider was hacked three times in 2015 alone. The last hack nabbed 1.2 million email addresses.
The Linux Mint hack
from last month netted another data dump that included email addresses, encrypted passwords, and personal information; ;shortly thereafter, the entire database was available on the Darknet for 0.1949 BTC ($85 USD).
I think that most of us can agree that the average Joe has minimal control over database security when registering an account at these sites. When we fill out registration information, create a password, populate our profile, and engage on these websites, security always sits on the chopping block. Aside from a few clues included in site policies, we really don’t know if the website is run by a neophyte or a security pundit.
Kill the password
SplashData’s fifth annual “Worst Passwords of 2015
list reveals that users are still putting their data and themselves at risk by using weak and easily-guessed passwords.
Default passwords, always-remain-the-same passwords, shared passwords, and weak passwords will continue to haunt the threat landscape. Simple password authentication is not cutting it anymore. Data breaches are all too common now. The hackers get it, why don’t we?
For the most part, we prefer to continue relying on plain passwords for our online accounts. In light of the continuing rise of data-breaches and identity fraud cases, tech firms are addressing this issue in earnest, and are focusing on ways to strengthen and facilitate the password paradigm, or to have it replaced altogether. — Ben Dickson, Techcrunch
W3C is working on ways to authenticate without the use of a password — known as the “Web Authentication Working Group Charter”, W3C wants to solve the password authentication problem by creating a client-side (browser) API that lets services use a pair of authentication keys
to prove who you are based on the device trying to log in.
Matthew Warren, Professor of Information Systems at Deakin University, stated in a recent Sydney Morning Herald
article: “Within the next decade, either passwords will not exist, or will be used with other forms of identification. Certainly the days of using passwords as the only single form of identification are numbered.”
With data breaches escalating—let’s hope that tech firms replace the washboards soon.