What’s Up With Passwords Anyway?

Wouldn’t you think that by now we would have had it with passwords? I mean, come on man, how many hacks does it take to unscrew a light bulb? Or, whatever.

I mean this dog don’t hunt anymore, do he? Why is this form of protection still the way that we keep our online lives safe? The answer must be that users don’t practice safe sex (oops – I mean safe Internet techniques), and privacy breaches don’t immediately or necessarily and sometimes actually never, affect profits.

If you just go back a few months, there was the Adobe hack in October that nailed more than 150 million customers, followed by the Target breach that sucked up information on more than 70 million customers, followed by Sears, Neiman Marcus, Michaels, and then the dreaded Heartbleed SSL discovery that left passwords vulnerable to hackers for more than two years. The most recent hit was eBay, which now says more than 145 million customers must change their passwords to prevent further craziness. This is starting to resemble Congress, whom everyone (90%) hates, yet no one seems to know what to do about it. At least Congress doesn’t make you change your effing passwords every other week.

Where did all this start? MIT. 1962. And even then, in July of that year a bug was discovered that was revealing a list of everyone’s password whenever anyone logged onto their TX-2 computer. And an early “work-around” resulted in a researcher who wanted more time on the SAGE system printing a list of all the passwords (which were stored in a shared database) and then logging in as different user each time. In a case of the original disgruntled computer lab employee, a researcher used the password list to leave anonymous “taunting messages” behind for a lab director he didn’t like. 1962. What a year.

Since I am from that period myself and was writing machine language for IBM as a Summer intern, I remember most software engineers from that era knew that a knowledge-based authentication system would have been much smarter – something along the lines of asking a father’s middle name or the birthday of a sibling, but that would have required storing a lot of information about a person, and in the days of the IBM 1401 with 4K of RAM, nobody seriously thought about using cycles for this authentication nonsense. I mean after all, there were only like 57 people in the whole world who were actually using computers back then anyway. Yes, Virginia, I said 4K – no typo.

But it is not just a problem that the password is the only 50 year old computer technology still in use today, but it seems that Internet users’ attitudes toward passwords are also 50 years old. I mean, after the relentless press coverage and the constant ya-da-ya-da from security experts over the last few months urging Internet users to change their passwords, you would think that somebody might have taken some of this to heart. But even following Heartbleed (delayed pun intended), which probably left more than two-thirds of the Internet susceptible to undetectable password breaches, only one third of Internet users said they had cancelled accounts or changed their passwords. Amazing!

Even today, SplashData’s annual survey of passwords found that the two most common passwords on the Internet remain “123456” and “password”. Seriously.

I just counted the sites for which I maintain my passwords – I have 19 – and the passwords are all different and hard to remember and really hard to predict or crack. Is it a pain in the ass? Royal.

Though, as an aside and for future consideration there is always Password Genie, LastPass, and Dashlane which are super secure password storage websites where you can keep hard-to-remember passwords mapped to all your sites, so you don’t have to bother.

But, I get it. Internet users don’t want to do the work and they can’t be trusted to protect their own data. Fine. But, wouldn’t you think that all this hacking and compromising would be bad for corporations? Bad for their stock prices? Bad for their images? And then, wouldn’t you think that these guys would take matters into their own hands? Surely they would. Right?

Huh. It seems not.

“While security experts, the news media, and actual eBay users may have all been alarmed, the stock investors weren’t,” writes Bloomberg Businessweek’s Eric Chemi in a recent column. “EBay’s stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88. That’s been the trend among companies that have suffered cyber-attacks—the stock market practically ignores them. Consider Target and its own well-publicized data breach that happened back in December. Target’s stock didn’t really move at all.”

Mr. Chemi says the same thing happened to T.J. Maxx, Adobe, and JP Morgan after announcing that customer data had been compromised.

“These numbers suggest that investors just don’t care much about data breaches, while hackers are incentivized to keep trying to steal data,” Chemi adds. “Maybe that’s why these events will keep happening. History repeats itself.”

Regardless of Mr. Chemi’s laissez-faire outlook, the facts are that a data breach is costly and attacks are growing like wild fire. PricewaterhouseCoopers’s 2014 Global Economic Crime Survey found that over the last three years, 7 percent of US organizations lost more than $1 million each to cyber-crimes and 19 percent lost between $50,000 and $1 million. And those are only the ones who admitted it or actually known they were hacked.

Well, it turns out that these companies and others have actually decided to do something about this after all. They have formed what is called the FIDO Alliance https://fidoalliance.org/about which is working to develop the next generation of successful authentication procedures and products. Members include Bank of America, BlackBerry, Google, Microsoft, Samsung, Netflix, and other big susceptible companies of the ilk. Their mission statement is

The Mission of the FIDO Alliance is to change the nature of online authentication by:

• Developing technical specifications that define an open, scalable, inter-operable set of mechanisms that reduce the reliance on passwords to authenticate users.
• Operating industry programs to help ensure successful worldwide adoption of the Specifications.
• Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.

Which is a far cry better than anything that has been attempted in the last 50 years. It of course warms my heart that their baseline is dual-factor authentication, a protocol we’ve been preaching for years.

They are also testing authentication measures such as the fingerprint sensor on iPhones and new Galaxy devices. PayPal recently started accepting fingerprint swiping payment authentication as an option. There is also experimentation with local device authentication (where users insert a USB dongle as authentication) and iris scanners.

And, no … I didn’t miss the irony that this dongle is a LaCie product.

In the real present world however, like the world in which we live right now; the one where eBay has been hacked, the only thing you can really do to protect your data is to watch your bank accounts and be extra vigilant about phone and e-mail scams.

Oh, and yes, change your passwords.

If you have questions about passwords, dual-factor authentication, the eBay hack, or 1962, write to me at [email protected] and always keep smiling.