The Password Hole in the Cyber Bag
Debesh Choudhury, PhD
Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Digital Identity, Biometrics Limit, 3D Education | Linux Trainer | Writer | Podcast Host
As more and more data breaches are exposed by the media, the importance of data privacy and security comes to the forefront. The focus is shifted to have a foolproof digital identity which can reduce personal data stealing / hacking. If the passwords are not protected, then passwords are the weakest link in a digital identity system. Can we afford to loose our precious data in the cyber world through the password 'hole'? Or may we try to find better password systems which are less prone to forgetting / loosing / stealing / hacking?
Password is indispensable in this computer driven networked world
Everybody would agree that our online lives heavily depend on passwords. We need passwords to login into our computers. We need passwords to secure our mobile devices. We need passwords to login into our social media accounts. We need passwords to carry out banking and credit card transactions. We need passwords to access email accounts. We need passwords to login into the corporate world, as employees and as employers or as the administrators. Passwords are really the most indispensable secrets we need to protect in the technology driven digital world.
Text passwords are mostly used for all services and governance
Text passwords are the mostly used secret codes in the login credentials. More complex and longer text passwords are better. But complex and longer text passwords are difficult to memorize. Keeping the passwords written on some pieces of paper or on an electronic document is not advisable, because written passwords may be leaked or stolen.
Two factor authentication helps strengthening the password system
The double or multi layer security have become common. In addition to a ID and a password, the users also gets a PIN or text phrase onto their mobile phones through SMS. This helps to strengthen the digital security. The banks issue debit and credit cards to their customers which provide the user with a set pass code and a PIN through SMS for entering when processing transactions online. However, the two factor authentication can't reduce the risk of passwords leaking / hacking / forgetting.
Text passwords are often hacked even from protected systems
Text passwords are often stolen / hacked by the cyber criminals. Passwords may be stolen from the servers with weak administrative security. Passwords may be hacked from the history of the user login. Passwords may be hacked through phishing funnels. Passwords may be cracked using programmable guessing. Passwords may be hacked / changed by hacking / stealing the mobile phone linked to the account. Passwords may be stolen by creating a fake secure server or hiding under a HTTPS protocol. Thus accepting secured server to be safe may sometimes result in loosing password credentials.
Now biometrics is poised to make an entry as a physical password
Digital identity researchers (including me) would say many words in support of biometrics. The convenience of using biometrics technology for authentication is an advantage. There is no need to remember the password. The person can bring his/her own biometrics password with himself/herself. Physical biometrics, such as face, fingerprint, iris, palm vein pattern etc are commonly used. Physiological biometrics, such as behavioral patterns, voice, heart beat patterns, brainwaves are also being tested. Although biometrics technology is not hundred percent reliable, the governments and the service industries are poised to shift towards adopting biometrics for authentication and identification.
Password-less and biometrics-only login are questionable
The password-less or password-free login is convenient. That is the main reason biometrics-only login is proposed to be used. But biometrics is not hundred percent reliable. It gives false rejection / recognition that asks for a fallback authentication / identification mechanism. There are spoofing threats on face, fingerprints, iris, voice, palm vein patterns. Biometric databases once stolen / leaked are lost forever, because there is no way one can reset the biometrics of a human. Moreover, people with physical defects in biometrics providing organs, such as defective hands or eyes, can't be denied services.
How to protect passwords from forgetting, stealing or hacking?
The question is how to protect the passwords from forgetting, leaking, stealing and hacking? We are commonly used to reset passwords and PIN from the centralized systems. Resetting facility of passwords may be utilized by the cyber thieves to hack the passwords. Saving the password credentials on a mobile device, such as a mobile phone could be a solution. The cyber criminals may steal the mobile devices and get the account access.
May visual or graphical image based password be a solution?
The non-text passwords are making an entry in the login systems. Graphical image based passwords have the advantage that the users need not remember long and complex text phrases. Remembering picture passwords is easier. One can use photographs connected to memorable incidents which can be remembered spontaneously. The graphical passwords can't be hacked using programming by guessing.
Graphical passwords may be stolen by 'shouldering' attacks
'Shouldering' is a threat to visual or graphical passwords. Criminals may often steal views over the shoulder to get a glimpse about the graphics / images used as passwords. That is called 'shouldering' threat to visual password security systems. 'Shouldering' is often accomplished by looking over the victim's shoulder or by looking from longer distance using a pair of high power binoculars. Therefore, no password security system is hundred percent foolproof. It is becoming a real challenge to safeguard passwords from hacking.
Password is a virtual hole that puts the cyber world under continuous threat
The inconvenient truth is that the passwords are the weakest links in most data breaches. If we can't develop a foolproof technique to strengthen the password security systems, then whatever we do or spend for data security and data privacy is practically useless.
So what is the solution for a reliable password security system?
Share your views about passwords. Are you happy with the current password systems? Do you wish to get something better? I would love to get your views and suggestions. If you like this article, please click "Like" or any other LinkedIn "reactions", and "Share" it among your acquaintances and network.
----------------------------------------
Join me on Twitter, Medium, Facebook, beBee, Steemit and LinkedIn
More of my articles on Digital Identity, Biometrics and allied topics:
- Identity Dilemmas: Biometrics, Texts or Something Else
- Brand Identity, Digital Identity and Crypto Aspirations
- Digital Identity, Assets and Governance
- Decentralized Digital Identity: Which Distributed Ledger is Most Viable?
- Decentralized Biometrics: Is It the Ultimate Solution?
- Biometric Data Protection is a Big Challenge
- Reset Biometric Traits?
- Spoofing Biometrics isn't Impossible
- Privacy protection could have saved Aadhaar data breach
- Data Protection is a Big Challenge
For more articles, stories, and insights follow #DebeshChoudhury
* * * * * * * * * * * * * * * * * * * * * *
I am a researcher and academician of electronics and applied photonics. My current research focuses on Biometric Security and Privacy Protection. My friend Jose Munoz Mata and myself are researching distributed ledger technology for decentralized biometrics and other real world applications.
In June 2015, Dr. Jeffrey Strickland and I founded a new LinkedIn Group called "The Unfluencers". To learn about the history of "The Unfluencers" please read the seminal LinkedIn article by Dr. Jeffrey Strickland entitled -- "Who are the Unfluencers". This group is an open group. You are welcome to join this group and engage yourself in the discussions. The Unfluencer?? Logo is a registered trademark of Dr. Jeffrey Strickland.
Text Copyright ? 2019 Debesh Choudhury— All Rights Reserved
#passwords #passwordsecurity #dataprivacy #datasecurity #identity #digitalidentity #biometrics #informationsecurity #technology #innovation #infosensys #dazlabsasia #learningtimes #debeshchoudhury #josemunozmata
Advocate of Identity Assurance by Citizens' Volition and Memory. Founder and Chief Architect at Mnemonic Identity Solutions Limited
5 年It might take some more years before Expanded Password System that we advocate becomes readily available to everyone on the globe.? As a stopgap measure for security conscious people, I would like to suggest an 'improvised' two-factor authentication that everyone can deploy right now at no cost. Combine a 'remembered password' (what we know) and a 'memo with a long password written on it' (what we possess). That's all. The combined password sent out to the authentication server has a considerably high entropy that might well stand a rainbow attack and very fierce brute force attacks.
Independent Writing and Editing Professional
5 年I don't get why this is such a huge problem. I have a few hundred passwords. Almost all of them are random strings. I don't know most of them, but I use KeepPassX (available on Android, Windows, and Linux). It has an autotype feature. Once I set it up with the window name, all I do is press a hotkey and my password gets typed for me with whatever other keystrokes I need. It doesn't get it right 100% of the time, so sometimes I have to get the passwords from the password manager manually. It's a little bit of work to setup and maintain, but it's easy to use.
Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Digital Identity, Biometrics Limit, 3D Education | Linux Trainer | Writer | Podcast Host
5 年Which password 'hole' is less vulnerable to hacking?
Security Assessments of Offshore sites | Security Education & Training
5 年Great share.
Advocate of Identity Assurance by Citizens' Volition and Memory. Founder and Chief Architect at Mnemonic Identity Solutions Limited
5 年Conventional password systems are indeed hard to manage?but secret credentials are absolute necessary for identity authentication in democratic societies; we would see a 1984-like dystopia if our authentication were completed without our will/volition confirmed. That is why we advocate "Expanded Password System", outline of which was recently published on EDPACS (EDP Audit, Control and Security Newsletter) of Taylor & Francis - https://www.dhirubhai.net/pulse/publication-edpacs-taylor-francis-hitoshi-kokumai/ Incidentally, one of the most serious threats to passwords is lack of entropy. Even when hashed, low-entropy passwords get easily deciphered by a rainbow table attack. However, passwords of sufficient entropy, if properly hashed, can stand very fierce brute force attacks. It is not difficult to solve this problem with Expanded Password System with which both images and characters are represented by any high-entropy data. Threats of shoulder surfing can be easily mitigated by some simple techniques such as shrinking the images prior to tapping, allocating texts to images and so on, with the simplest solution being just looking around you before tapping the images.