>This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address.
I simply don't believe this. Absent a keylogger or some massive security breach with Google themselves, I can't think of any way an attacker could get into my gmail account short of rubber-hosing.
The author hand-waves all of this by saying "let's say you're on AOL". Well, let's say I'm not. Let's say I have an account at Gmail with a > 20 character password and a > 20 character answer to the password reset question. If someone can break into that within a few minutes, they are severely undercharging at $4.
I agree that it's hyperbole, but there's one more factor to consider:
"The hackers persuaded Apple to reset my password by calling with details about my address and the last four digits of my credit card. Because I had designated my Apple mailbox as a backup address for my Gmail account, the hackers could reset that too, deleting my entire account—eight years’ worth of email and documents—in the process."
For anyone who had an email account prior to Gmail's launch in 2005, I'd wager there's an excellent chance that they initially linked their prior account to their Gmail account while signing up. In fact, reading this article has made me realize that I'm in the exact same boat; I still have my Gmail address linked to an ancient, dormant email account on a relatively-insecure service (I trust them more than AOL, but not nearly as much as Google).
You're an exception. Most people are not as well-protected. Being key-logged is not as unlikely as you seem to think, even if you're protected from all known attacks, new ones could result in your password being harvested along with thousands of other people's.
If you're the target of a directed attack, you have even more to worry about.
No, because I don't like the idea of being dependent on some external factor to be able to access my email account. If there's an emergency and I find myself naked with my wallet and phone gone in the middle of a foreign country, I want to be able to access my emails.
You can (and should) use a list of one-time passwords that bypass the two-factor authentication. Google generates them for you, and you surely can memorize one for emergencies.
Your Gmail account is not necessary to retrieve your credit card, phone, and Social Security numbers. And finding someone's home address is trivial, usually for free.
Passwords are fine. The way we handle them cause the major leaks we're seeing.
For the record, I've had viruses and have been hacked in the past, but it never did any significant damage. Accounts are separated (unlike the writer of this article's), different services on my server are isolated as much as possible, I use a number of password levels, etc. The hacks were due to carelessness, something that can always happen accidentally. What should not occur is that you're completely fried when one account or one technology fails, like the writer of this article was (his twitter got hacked, all Apple devices were wiped).
What I think should happen is an improvement in terms of how we store password (for starters, don't write them down and put them next to your pc), how we enter passwords (keylogger vs. password manager hacked problem), how passwords are transferred, how passwords are handled on the server, and how we can do password-equivalent actions. By password-equivalent actions I mean anything that bypasses the need for the password, such as password resets.
When these things are improved, passwords are still perfectly fine in 2012. For high-risk systems such as banks you surely might want to use two-factor authentication, but generally a password should be fine - or at least an option for those who think they can keep it safe.
This comment reflects a lack of understanding of how non-IT folks deal with passwords. As the number of services we consume on the web have exponentially increased, the difficulty in remembering all those passwords have led the majority of us in keeping 2 or 3 passwords for the whole lot- leading to what the author of the Wired article was guilty for.
That's not stupid, that's just how folks who have other stuff to worry about in their lives, do with a technology they hardly understand. Security frameworks even for banking systems primarily depend on passwords and little else. It's similar to "getting past the gatekeeper to the fort, and then having access to the Armory, Queens Chamber and the Royal Safe". Access should not be granted because you could recite 10 characters in the right order. It should be granted after having fully understood the context of your attempt, the history of the account and the account holder, and doing KBA (knowledge based auth) commensurate with the damage that could happen if the wrong person accessed that account.
Passwords should die a horrible death. They are a mere fallacy. An illusion of security.
> This comment reflects a lack of understanding of how non-IT folks deal with passwords.
If that is so relevant, we should also kill online (and offline) banking, selling used cars and insurances etc. ... Because clueless people will get owned and scammed everywhere.
What the article neglects is pointing out the total failure of Amazon, AT&T and Apple to protect their customers. It's complete nonsense to allow identity theft on the basis of information that is easily obtainable (credit card and social security numbers - they've been exposed hundreds of times and are no secrets). Class action suits might fix that in the long run, but at least don't blame passwords when they weren't the weakest link.
Yes! This is the problem, most people are non-techies (believe it or not) and have one password: 123456. Passwords are a slight inconvenience to them and that is why we have to design for the weakest link. The publicly available databases of passwords makes them irrelevant for the vast majority of people.[2]
We are using the same method of authorization that was going on 1,000 years ago. "Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password."[2]
This method has no context in a world bursting at the seams with sharing, connection and relevance. Who are you, where did you come from, who is with you, what is your purpose and how did you get here?
It should be contextual like: What is the speed of a swallow? (African or European?)[3]
"Passwords should die a horrible death. They are a mere fallacy. An illusion of security."
Wrong. Passwords have worked well for decades. They are, by far, the best balance between convenience and security. Service providers need to do a better job of taking into account other factors (IP addresses, cookies, recovery techniques) to mitigate breaches.
"Passwords are here to stay. They provide reasonable security."
Words.
Since the premise of the article (and the person to which you've replied) is that your statement is false, you're going to need to provide more than the above to refute it.
I agree with your core points: Passwords are not enough for accounts that need to be secure.
But one thing that a lot of this glosses over is that different accounts need different levels of protection. I really want things like my bank account to offer stronger protection than a password. On the other hand for things like my hackernews account and my dragongoserver account they are probably plenty and its not worth additional inconvenience to have more.
It would be like saying your average bike chains are dead because they can be defeated by bolt cutters. Bike chains are plenty of protection for an average bicycle, but I want something more protecting a safe deposit box.
> that's just how folks who have other stuff to worry about in their lives, do with a technology they hardly understand
If they have 'other stuff' why they spend so much time posting about memes, or TV shows or other meaningless stuff?
When I was in high school only nerds would know what's a hard drive, or what's an email address. Now everyone seems to know something about computers, everyone has emails and twitters and other things (even if they don't know what a MFM encoding is).
The same can be true for password security.
Honestly, computer security is important, and therefore should NEVER be dismissed with the 'other stuff to worry' hand-wave. If someone doesn't know about it, they should learn.
If passwords are to be changed for a better technology, nothing changes about my point: people should learn to use it correctly, whatever that is.
> What I think should happen is an improvement in terms of how we store password (for starters, don't write them down and put them next to your pc),
Actually, given today's attack vectors, this would be an improvement. Remote attackers have greater and greater ability to compromise an account, but if the "key" is physically hidden away then it becomes an unreachable needle in a the massive haystack that is our physical world.
(I'm speaking theoretically, of course, this does nothing to protect the user from the kind of attacks that are most common: phishing and social engineering)
When the password is a stickie next to your computer, then the most imminent risk is that the janitor or a coworker will filch from you. Then have your password be something you put on a sticky save for a memorable number that you prepend to it (but not something too guessable, like your birthday). The chances that this acquaintance who goes snooping around your physical cubicle is going to also run a brute force crack is pretty slim...because such a person will likely have an easier way to violate your privacy/thieve from you.
Saying that online viruses can be solved if everyone practices better password management is like saying that offline viruses can be solved if everyone practices better hygiene management.
It's a great idea in theory, but the execution is the trick.
# Tired of hearing you cry about getting hacked dude. Get over it. #
#This guy is the laughing stock of our organization, he's almost achieved meme status. This guy is a "technical" writer at Wired for god sakes. A magazine I've been reading since almost Issue 1.
He's comes off as if he's been traumatized by the experience, like he's survived some sort of violent crime. It's an insult and he just keeps milking this experience over and over again.
I've been working in IT Security for almost a decade, his experience is trivial compared to some of the incidents I've worked and seen.
Maybe he's just milking his tale as link bait, who knows, but I'm tired of hearing him whine.
Grow a pair and move on.#
#"Tech writers" that don't backup or protect their data obviously chose the wrong career. Honan is a bigger joke than Wired has become.#
Losing every photo of your daughter from her birth to 18 months old is traumatizing. Yes, of course he should have backed it up. Of course it's less traumatizing than surviving a violent crime. It's still traumatizing.
These comments summarize my thoughts rather eloquently.
Clicked through to the article expecting something interesting, left almost immediately upon realizing it was just Mat Honan milking his hacking once again.
> My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked,
No, you had one 'robust' password, one good password, and one godawful password that you should feel bad about not securing better.
And then you linked all of the account together, basically putting all the keys in the kingdom in the weakest safe you had.
It was a poor decision, and has nothing to do with the strength of passwords as a data protection mechanism.
I seem to recall that Honan's accounts were hacked not because of his password strength, but because Amazon and Apple at the time had flawed password-recovery options that allowed an attacker to reset his password.
That is also my recollection of the event. Basically, the recovery process for one gave away the secret allowing resetting the password on the other one, something along those lines.
What does he mean by "the accounts were linked"?
Does registering for Twitter with a Gmail email qualify as linking?
How can a hacker get a password to my Gmail via hacking into my Twitter account; and most importantly, how do I "unlink" those two things?
I'm missing something here...
He means that his gmail account was set up to mail a password reset link to a backup email account, which was in this case his apple mail account. After that, all his other accounts were reset by clicking on "forgot password" or the equivalent, which sent password resets to his apple or gmail account.
Of course, but I'm talking about the opposite way - after all his strongest password was his Gmail password.
Some comments here seem to imply that having a strong Gmail password and having a weak Twitter (or whatever) password will somehow make it easier for a hacker to get into your other accounts. It all hangs around that word "linked" that I don't quite understand. But I see from other comments that the story is that the offenders went through Amazon to get someone's Apple password. That makes sense after reading the full story.
His weakest password was on his Apple account, which was his 'backup' email for his Gmail account. That link effectively made his 19 character Gmail password a moot point.
> After watching lots of movies, many of us would like to think that a fingerprint reader or iris scanner could be what passwords used to be: a single-factor solution, an instant verification. But they both have two inherent problems. First, the infrastructure to support them doesn’t exist, a chicken-or-egg issue that almost always spells death for a new technology. Because fingerprint readers and iris scanners are expensive and buggy, no one uses them, and because no one uses them, they never become cheaper or better.
Today I've read one of Polish banks is going to test out fingerprint ATMs. Not that I have ammounts worth cutting my thumb off, but I wouldn't opt-in for that.
'Vein readers, on the other hand, are fast and accurate. “Finger veins are also very difficult to steal,” Kitayama points out. Even if a thief were to hack off your hand to fool a vein scanner, he’d have to keep all the blood inside your severed appendage to make it work.'
> Not that I have ammounts worth cutting my thumb off
Neither do I, but attackers don't know that.
On the other hand, cutting off someone's thumb is probably more effort than leading them up to an ATM at gun-point. I'd be more worried about spoofing the scanner itself.
Things like BrowserID/Persona are what web sites should be moving towards - verify my email address is real, don't ask me to manage a set of data to log in with.
Persona and BrowserID still rely on passwords at some point. I believe the currently most realistic alternative to passwords is a time based authentication with a personal device (ie. a device you always keep with you, like your smartphone).
my online banking provider does this as well and has abandoned passwords altogether.
I'm divided. Smartphones will probably always be much less secure than specially designed one time password provider hardware.
On the other hand your smartphone can get more secure with updates and your token provider will surely be much harder if at all possible to upgrade.
Anyway the point is moot, if such a scheme is ever viable (as in most people will have one and you can implement it in many websites without having to be a bank) it will be through smartphones.
I sort of think I want a dumb phone and tablet more than I want a smartphone. It would be nice if the tablet(or other nearby computers) could ask the dumb phone for authentication.
Not a solution for everybody, but it would be nice if it were at least a possibility.
With Persona you don't need site specific passwords and you don't expose a password to sites that you are signing to. This is a huge advantage over popular one password per site model.
Companies are absolutely stupid about passwords. They usually have a rule that says 3 fails equals a locked account.... so one bad apple could use any computer in the company to literally lock every single employee out without knowing anyone's password.
The real solution here is a delegated authentication protocol like OpenID, BrowserID/Persona, OAuth, or Facebook Connect. Asking users to maintain 100+ strong passwords is ridiculous. Password agents like 1Password or LastPass work OK for now, but those agents become high value targets themselves and the core design is not very secure.
Delegated authentication designed from the beginning to be secure is the solution. And we've had technical implementations of that going back at least 10 years (Microsoft Password, client-side SSL, OpenID). The reason they haven't succeeded is a combination of product design and political problems.
Mozilla's BrowserID / Persona project is looking promising. Tim Bray at Google has also been talking about identity a lot lately, maybe Google will offer a solution too.
> they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.
If having an Apple account gives that much control over your data, then that's your own fault for having one in the first place.
But the problem was, as far as I remember, not the weaknesses of his passwords. Hell, the hackers didn't even tried to brute force the keys, they just conned their way in. Time and again, the human factor proved to be the weakest link in the security.
My AppleID password is pretty secure (~25 characters, upper/lower case, alphanumeric, bunch of symbols, etc.) and having to type it in on an iPhone/iPad every time I want to download an app (even a free app, or updating an app I've already purchased) makes me want to cry.
I don't know what my Apple ID is, it's a random sequence of letters (of various casing), symbols and numbers. I have it stored in a different app, so every time apple asks me for it, I cancel the dialog, open that app, copy the password to clipboard, redo the action and paste. I can do it faster than I can explain how to do it.
my gmail password is close to 40 characters. It would be impossible to manage without keepass. I just assume that any password you can recall from memory is not secure enough.
Ditto. I've switched to generating passwords that are as long as the site allows (well, up to 80 or so, with spaces and special characters and whatnot).
I think I'd rather stop reading FUD articles on Wired written by noobs, than give up passwords.
Good for you. But 99.9% of people are not as careful, and will never be. You can't change them. They will continue to use the same password of minimum allowed length for multiple sites, and store it in plain text on their desktop. The designers of technology need to be aware of how it is actually used by real people.
Unless you actually randomly select the words, I'm fairly sure that the analysis of strength of that strategy is flawed. And if you do randomly select the words, I'm not sure how easy they are to recall. And, I'm really skeptical how easy it is to recall different word sequences for 100 different web sites.
I've quizzed most of the people I've encountered who claim to use this technique. They all use four words that "pop into their head". That's quite a big different from using random words, and almost certainly much weaker.
I tried this method. I probably did use totally random words because I can never remember what the password was and have to reset it every time I want to use the site I'm testing this on!
The issue here clearly isn't the passwords. Take your pick from:
* Trusting the 'cloud' (by whatever name) to the extent that you don't keep a local backup of your important data.
* Linking all your online accounts together for the convenience of anyone who wants to hack them. (I like to think of this a the 'gift-shop-attack"; The castle seems strong and easy to defend, but there's always a gift shop with just a little old lady watching over it!)
> they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.
And this is exactly why I have an offline copy of all important documents. It's just a humble 1 TB USB drive that gets synced once in a while. I keep it at the office, just in case the house gets burglarized.
Actually, two offline copies would be better. Gotta think about that.
Honan ran into a couple of problems, an correctly noted them:
His accounts were all linked together - gaining access to one made it easy to gain access to others.
Social hacking was used to either gain access to accounts and/or change the passwords.
Do we as an industry need to improve how we store passwords and manage interactions that could allow unauthorized people to take over or otherwise gain access to accounts? Yes. Does that mean doing away with passwords? No.
My perspective on online security is the same as real-life security -- if someone who really knows what they're doing wants to get to you, they'll get to you.
"his summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, * some with symbols thrown in as well—but the three accounts were linked, *"
Emphasis mine. Enough said. Passwords are still pretty secure; two-factor authentication makes it even more so.
I always liked this Password Reuse Visualizer for Firefox: https://addons.mozilla.org/en-us/firefox/addon/password-reus... It shows you how much you reuse passwords, since you might not even realize how often you reflexively type the same thing into any "password" box.
At no point in the article is the password the weakest link. Crappy password reset forms are the weakest link. If we switched to e.g. hardware dongles for security, we would still have this link for "lost my dongle" I don't see how any form of authentication will work so long as companies provide a means around it.
Password reset questions are the problem. Their a back door into your account. I hate when a site forces me to enter them. When I do, I answer then with something completely different than what the question is.
He mentions that there are "shockingly complete" SSN databases available online. Is there any more information on this? Any way to find out if your own SSN or that of a loved one might be in such a database?
It's quite likely. I was at a presentation by Kevin Mitnick recently where he pulled members of the audience on stage, and, using only their name, found their SSN and history of residence. They're not very private, unfortunately.
So his conclusion is we have to have more of a Big Brother state, to track our whereabouts at every moment, with the assurance that this will help assert & protect our identity?
I've personally enjoyed some of the new image/touch based passwords I've been seeing lately. The best example I can give is the Windows 8 ad where they show people drawing on top of a picture as their password.
Something to make it more visual would be cool. If I could go to a site and draw a little picture in a box (obviously this is better suited for touch devices), I think that would be pretty hard to crack. Right (I'm the furthest thing from a security expert)?
This sounds like a disastrous mechanism. The problem is not the passwords themselves, but how we manage them. Given how people are already too lazy to think of a barely secure password, I'm not optimistic that they'll put up with non-trivial drawings.
Lazines is the exact reason people don't bother with correct password management. Lots of people know that password re-use is bad. Yet almost all of us practice it to some degree. Lots of people know that passwords should be as long as possible and as "random" as possible - yet only a select few truly follow this. Why? Because it's just easier to type "john123" than "Jh98N%@badmouthpiecez". Ask anyone which one is a better password, and what would they prefer and what would they truly end up using. Laziness.
The problem with passwords is not their strength. It's not the passwords themselves. It's the way people use the web. For example in the article the author mentioned that because he had all the accounts linked, breaking one meant ability to break the others. Well duh! Perhaps try NOT linking accounts together like that next time?! Oh? It's hard? It's not. It's inconveinient. We're lazy and we want our stuff to be in one place, "cloud", because "it just works". And when shit just hits the fan, you're screwed. Not because of passwords, but because of the way you manage your "digital life".
The whole "digital life" concept is utterly retarded from security point of view. Not the passwords.
Think about every massive online success, past and present. MySpace, for example, was not fundamentally different than how you could upload an HTML page to a server...though designing and maintaining links is obviously work beyond the average dedicated developer. And Facebook was not fundamentally different than MySpace, but its news feed eliminated the work of visiting every friend's profile to figure what happened today, which made it much more likely that you'd be "rewarded" (in the psychological sense) for visiting facebook.com rather than myspace.com...
And so forth. The password encryption schemes used as an industry standard are quite secure against a brute-force, random intruder. So social-engineering is a much more viable way to break-in...and why does Bob read his password over the phone to someone claiming to be from IT rather than take the time to verify the integrity of the transaction?...Laziness.
That's an interesting idea, but I would be nervous logging in to services in public as someone could be watching. Or even worse a store employee could watch the tape and figure out the movements. Although, I am probably just being paranoid.
What people aren't really mentioning on this thread is what sort of burden a non-password system adds to the average site developer
What's the answer? Have all sites use OAuth and delegate to sites like FB / Twitter and hope they get more secure?
I've seen sites like http://www.loginprompt.com that try to provide authentication as a service, but they're all still fairly rudimentary or expensive.
I hate OAuth and all related technologies with a passion. My personal strategy is that any targeted site can be crack and my password is probably stored there in a reversible format (if not straight plain text). So I don't expect to secure any given account, only isolate it from all others. That means I use as secure a password as the site allows (some sites don't let you use symbols!) and always totally different. I use a password manager to keep track of these passwords for me so even I don't actually know what they are after I've made them.
But my whole strategy is defeated behind my back because of this idiotic OAuth/whatever technology. Now only one of my accounts needs to be hacked on a high profile site and suddenly every site that gives an OAuth option is compromised for me, even though I've never used OAuth one time.
But at least people realize that doors aren't perfect, and get things insured. Even bank vaults aren't perfect, that's why the FDIC insures money in bank accounts. People never think about their passwords being insecure, so they don't take any precautions against breaches.
You don't have to do that given that things like Authy use an open standard for two factor: http://www.ietf.org/rfc/rfc4226.txt. That's the same standard that the Google Authenticator implements. So, you'd really only need a single app.
I think Aardwolf point is: if you have 2 different service providers (let's say DropBox and Google) authenticate you with an OTP generated from a single OTP seed, they would need to share that seed on the server side and they won't. Today, I have one OTP generator for Google and one for DropBox.
Yes, but that's not what Authy (and RFC 4226 in general) are expecting. They are allowing multiple seeds in the same app. So, you use one app and get different OTP for different sites.
The article mentions "Matthew Prince protected his Google Apps account with a second code that would be sent to his phone—so the hackers got his cell account". It means the phone was not secure enough to protect these codes. A dedicated hardware token is more secure, but if you have to carry 10 devices on your keychain, this is not very elegant and annoying.
Matthew Prince is my boss and I know what happened there. He was not using the type of system I am talking about (based on the RFC) but a system that does a voice call or SMS.
I like private keys instead of passwords in theory, but in practice, I'm scared that I'll misplace the private key file, rendering all of my data lost forever. Private keys can also be lost (stolen laptop?) or misplaced. Or what if you're traveling and your laptop gets busted, how do you safely and quickly transfer a private key from your home storage to where you are? I'm not a crypto-expert, maybe these questions all have easy answers--but they're not obvious, at least.
Memorable passwords are in your brain for the long-term, and can't be lost or stolen. (Well, aside from improbables like torture.)
This is so wrong. Hacking an online account does not necessarily involve hacking the user's computer. If your HN password is "password" or "hn", I won't need to spy on your files to get in your online account.
If you are using secure OS, like *nix, there is really not much opportunity to spy on your files for outsider. The article is ignorant, like most of the stuff on Wired, and in fact is more encouraging script kiddies to play, than educating users how to employ better practices to protect themselves online.
Instead of mentioning Zeus, it would be better to explain users the basics of public key cryptography.
I simply don't believe this. Absent a keylogger or some massive security breach with Google themselves, I can't think of any way an attacker could get into my gmail account short of rubber-hosing.
The author hand-waves all of this by saying "let's say you're on AOL". Well, let's say I'm not. Let's say I have an account at Gmail with a > 20 character password and a > 20 character answer to the password reset question. If someone can break into that within a few minutes, they are severely undercharging at $4.