Safety in Numbers? The future of the password
Well with the hacking of Adobe, former News of the World editors on trial for phone hacking & further revelations of the activities of security services like the NSA passwords are firmly back in the news. From four figure pin numbers to complex alpha numerics used to safeguard bank accounts and e-mails have become closer to us than phone numbers of our closest friends; but in this increasingly tech governed how safe are these verbal keys if even hacking collectives like Anonymous can have their twitter feeds hacked?
The Sad Truth
The sad truth is that with enough time and effort almost any technical system can be hacked or cracked by a determined opponent. Much like securing your home locks, an alarm and attentive neighbours are helpful but if someone comes at your front door with a tank you are likely to be in trouble. The almost daily updates to anti-virus programmes, and spam folders full of links to attack sites looking to trick the unwary, are testament to the constant and colourful amount of malware looking to eat or intercept and enslave our electronic lives. The worse truth is that many of us are not doing our security any favours. The BBC published an article earlier this week revealing the top 20 choice of passwords for the recently hacked Adobe users and it was scary reading to say the least, but with listeners to the BBC’s Invalid Password programme, with Tim Samuels, showing how simple passwords can be defeated in seconds what is the answer, should we start worrying about having to get eyescans, microchips, or barcode tattoos?
In my opinion no, there are plenty of examples of how fingerprints can be captured, high resolution images being used to spoof facial scans or iris scanners not working at airports to make true biometric protection something that may not be the best option. The invalid password show had some anecdotal examples and another recent example has to be Apple’s release of a much vaunted new fingerprint protection system for the new iPhone 5 which was cracked shortly after release. With new technology seemingly doomed to fail and password’s like 12345678 in common usage are the technological masses doomed?
Are we Doomed?
Maybe, but not today. As I mentioned at the beginning the simple truth is that any system is vulnerable and with enough dedicated effort can be cracked. The world of corporate data security is big business and a constant battle between black and white hats fought with careful monitoring, regular updates and the back and forth of ever changing technology.
However, much like getting locks on your doors and a burglar alarm there are things you can do to make identity theft and hacking a lot less likely. For starters most people know, in the world of social media, to only put information online you are happy with other people having. In terms of e-commerce, just as in the days before the internet, people with access to your details could try to charge something to your account so it’s best to trade with people with a good reputation and remembering to check your bank statements on a regular basis may well stand you in good stead.
A commonly held belief is that due to their simplicity and relative security passwords can provide they are unlikely to disappear anytime soon. However, there are thing you can do to make you less likely to be a victim. Most hacking that your average joe is likely to be a victim of will likely come from one of few sources:
- Human intelligence. Basically you gave someone your password or the ability to access or guess your password. Pretty common for online games, someone pretending to be a member of staff asks you for your password, or access is given to an account for power levelling etc. In the real world this is why it pays to cover you pin and shred bank statements.
- Spam e-mails and attack sites. This is why it pays to ignore unsolicited e-mails and keep your virus software up to date. Attack sites are not just places on the dodgy side of the internet, legitimate sites can find themselves inadvertently hosting malware. Scan your PC regularly to make sure you’ve not been dragged into being part of a botnet.
- Chance encounters. Hackers or more often software written by a hacker may try to pry its way into an e-mail account or will look out for a PC with open ports that it can drop into this is where password security will do you the most favours.
So what can you do?
XKCD.com once again puts the debate remarkably succinctly, we pick passwords that are easy from the computers to crack but are difficult for us to remember, but there are things that we can do.
- Update your passwords regularly
- Don’t reuse a password
- Don’t tell people your password
- Use a strong password
What is a strong password?
The sites with ‘strength bars’ to help assess the strength of a password are all too common, and according to the experts all too flawed. This is due, in part, to the need for better hash encryption and the habit of users to choose passwords based on real words making them incredibly vulnerable to dictionary matching, at which point pure length of password is not going to help. As mentioned above the most common causes of someone else having unauthorized access to a systems are someone giving them a password (intentionally or unintentionally), downloading malware through spam e-mail or attack sites or a program cracking a weak password. It is important to remember that it is a program trying to guess your password which is capable of 1000s of guesses a second, not an individual hacker sat at a keyboard trying to guess. So 1337 speak, common misspellings or letter substitutions will not help you.
So less with the scary and more with the answers.
Currently there are two schools of thought of the best way to draft a strong password that’s easy to remember. The first as detailed in the XKCD panel above is to select 4 random words that you can use to create a vivid image in your head. A copy of websters, the concise OED or a scrabble dictionary and some dice may create some wonderful combinations and improve your boggle scores. Though this technique, while certainly more secure than most has been criticized as is could still be vulnerable to dictionary attacks.
The second alternative is to pick on favourite phrases, song lyrics, movie quotes etc. as handy mnemonics. For example:
Momma, just killed a man. Put a gun against his head, Pulled my trigger, now he’s dead.
Perhaps the strongest so far, relatively immune to dictionary matching, but security is big business and groups like Google, Mozilla and others are looking at possible alternatives.
What does the future hold?
Some systems have already taken steps, from the little code machines for online banking transactions, or the unrecognised PC or IP and SMS confirmations you can now commonly see on facebook and gmail accounts.
But the eternal debate for security is the balance between keeping what you want save versus some level of convenience. Mozilla’s persona system looks to give you some peace of mind and convenience by giving you more control of what information is controlled how and where by having a system linked to one e-mail account.
Another alternative comes in the form of the Yubico log in devices which you carry with you and have to plug into the USB port of your PC in order to access your files. A system that means that you have to worry about not losing a little fob, or the risks around losing your online key or smartphone but should make you far safer from attacks online. Whatever the future holds this is not a conversation that will likely end anytime soon.
But remember to keep it secret and keep it safe.
The intention of this article has been to inform and hopefully entertain.
Much like everyday life, where people get hit by cars and get mugged surfing the world wide web has its risks, and while the worst that going on facebook, having an e-mail account or using amazon will generally be a bit of abuse from a troll identity theft and hacking are real and if you don’t care about your password you are at risk.
Of course if you really are looking for a modern and fashionable tinfoil hat you could do worse than Adam Harvey’s range of privacy inspired fashions.