Browse All Articles > It’s time to kill the password
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Over the past few years, there has been an ongoing never-ending deluge of data dumps. Though I’ve never had a business email address compromised, my favorite Gmail account joined the inner sanctum of ‘”;–have i been pwned?” in late 2013. This hack was courtesy of the huge Adobe data breach that slapped down 153 million pwned accounts, consisting of internal IDs, usernames email addresses, encrypted passwords (not properly hashed and salted), and plain text password hints.
Four months later, in February 2014 the same Gmail address was compromised again at the Forbes website when hactivists from the Syrian Electronic Army compromised a Forbes WordPress admin account. The attack garnered usernames, email addresses, passwords, and user website URLs.
Your ISP is not immune from hackers either. In January, Time Warner Cable (TWC) suffered a data breach that may have affected up to 320,000 customers' email addresses and passwords. TalkTalk, a UK Internet service provider was hacked three times in 2015 alone. The last hack nabbed 1.2 million email addresses.
The Linux Mint hack from last month netted another data dump that included email addresses, encrypted passwords, and personal information; ;shortly thereafter, the entire database was available on the Darknet for 0.1949 BTC ($85 USD).
I think that most of us can agree that the average Joe has minimal control over database security when registering an account at these sites. When we fill out registration information, create a password, populate our profile, and engage on these websites, security always sits on the chopping block. Aside from a few clues included in site policies, we really don’t know if the website is run by a neophyte or a security pundit.
Default passwords, always-remain-the-same passwords, shared passwords, and weak passwords will continue to haunt the threat landscape. Simple password authentication is not cutting it anymore. Data breaches are all too common now. The hackers get it, why don’t we?
W3C is working on ways to authenticate without the use of a password — known as the “Web Authentication Working Group Charter”, W3C wants to solve the password authentication problem by creating a client-side (browser) API that lets services use a pair of authentication keys to prove who you are based on the device trying to log in.
Matthew Warren, Professor of Information Systems at Deakin University, stated in a recent Sydney Morning Herald article: “Within the next decade, either passwords will not exist, or will be used with other forms of identification. Certainly the days of using passwords as the only single form of identification are numbered.”
With data breaches escalating—let’s hope that tech firms replace the washboards soon.
Four months later, in February 2014 the same Gmail address was compromised again at the Forbes website when hactivists from the Syrian Electronic Army compromised a Forbes WordPress admin account. The attack garnered usernames, email addresses, passwords, and user website URLs.
Your ISP is not immune from hackers either. In January, Time Warner Cable (TWC) suffered a data breach that may have affected up to 320,000 customers' email addresses and passwords. TalkTalk, a UK Internet service provider was hacked three times in 2015 alone. The last hack nabbed 1.2 million email addresses.
The Linux Mint hack from last month netted another data dump that included email addresses, encrypted passwords, and personal information; ;shortly thereafter, the entire database was available on the Darknet for 0.1949 BTC ($85 USD).
I think that most of us can agree that the average Joe has minimal control over database security when registering an account at these sites. When we fill out registration information, create a password, populate our profile, and engage on these websites, security always sits on the chopping block. Aside from a few clues included in site policies, we really don’t know if the website is run by a neophyte or a security pundit.
Kill the password
SplashData’s fifth annual “Worst Passwords of 2015 list reveals that users are still putting their data and themselves at risk by using weak and easily-guessed passwords.Default passwords, always-remain-the-same passwords, shared passwords, and weak passwords will continue to haunt the threat landscape. Simple password authentication is not cutting it anymore. Data breaches are all too common now. The hackers get it, why don’t we?
For the most part, we prefer to continue relying on plain passwords for our online accounts. In light of the continuing rise of data-breaches and identity fraud cases, tech firms are addressing this issue in earnest, and are focusing on ways to strengthen and facilitate the password paradigm, or to have it replaced altogether. — Ben Dickson, Techcrunch
W3C is working on ways to authenticate without the use of a password — known as the “Web Authentication Working Group Charter”, W3C wants to solve the password authentication problem by creating a client-side (browser) API that lets services use a pair of authentication keys to prove who you are based on the device trying to log in.
Matthew Warren, Professor of Information Systems at Deakin University, stated in a recent Sydney Morning Herald article: “Within the next decade, either passwords will not exist, or will be used with other forms of identification. Certainly the days of using passwords as the only single form of identification are numbered.”
With data breaches escalating—let’s hope that tech firms replace the washboards soon.
This post originally appeared at the Fortscale Insider Blog.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (6)
Author
Commented:Commented:
http://www.geekwire.com/2016/selfie-spending-amazon-wants-patent-purchasing-photo/
Commented:
I've seriously had panic attacks about passwords. I mean, they certainly made sense long ago, back when it was possible to count the number of systems you'd need them for on one hand, but now, it's absurd how many systems we need to login to on any given day and passwords are just a broken system for that sort of thing.
Just to count a few issues:
- I like Safari's built-in password generator system, but that doesn't help when I'm on my Windows system
- And what about mobile apps that need to login? Do any password systems like LastPass easily work with those?
- Every site seems to have its own special password restrictions, so as soon as you make up a decent method of creating unique passwords for each one, it inevitably won't work somewhere (what do you mean I can't use a dollar symbol!!? arghh!!!)
Commented:
Author
Commented:View More