In the sad world of passwords, we're engrossed in the wrong movie
I've wanted to write something about the LinkedIn breach, but under a news lens what is actually new?
I have a dozen or more stories in my doc folder telling the same sad tale. Zappos, Gawker, Sony, Apple, Fox, CBS, Warner Bros. rootkit.com, etc. etc. I guess I could just search and replace the names with LinkedIn, eHarmony or Last.fm and change the number of compromised accounts.
Company X loses millions of passwords and personal data to Hackers Y. Company X says change all your passwords. End-users Z ignore or dutifully update and repeat a new password on all their sites. Law enforcement investigates but goes for donuts when the short Internet attention span sees another shiny object to fawn over.
Hackers Y pop up again six months later with phishing scams, or worse yet, attacks on business accounts using a combination of your stolen name, password, and the last four digits of your credit card number.
It's not the passwords, folks. The infrastructure is broken. What's that phrase about insanity and trying the same thing over and over?
We hang our cleverly crafted (not!) passwords all over the Internet, trusting virtual entities offering 10% off our next purchase and a promise our data won't be shared willingly - but without mentioning the sieve that is their circa 1980s security defenses.
Is there a fix? Right now, no. Is there something in the works? Yes. Will it solve (or drastically minimize) the threat? Time will tell.
Read the National Strategy for Trusted Identities in CyberSpace (NSTIC) proposal, look at what Google is doing with public domain interfaces and back-end verified attribute exchanges. Facebook may be fork lifting personal data into the advertising industry but they are doing OK so far with passwords. Read about trust frameworks and personal data stores.
The very basic structure is to have a trusted identity provider (IdP) that vouches for you when other sites -known as relying parties - go looking for your authentication credentials. Nearly every site gets out of the password game - LinkedIn, eHarmony, Last.fm, etc. etc. and the number of IdPs shrinks to four or five major sites.
Yes, there is a single point of failure argument, but liability contracts are the incentives IdPs have to protect your data. Protecting your identity will be their core competency as opposed to holiday cheese balls and wrapping paper.
Or we can continue to stuff our passwords in mattresses all over cyberspace and hope theft and account hacking only happens to the other guys. What was it, 5% of LinkedIn accounts compromised; odds are pretty good it wasn't you (but it was me this time).
I'm not professing all this infrastructure work is the cavalry coming together to save the day, but how many times can we get kicked in the cyber groin before we want to test the merit of some other protection? If it is proven not to work, let's move on to the next set of ideas.
The way things are now, carnival games at country fairs pose a tougher test for hackers.
Look for web sites to begin marketing their beefed-up defenses and touting adoption of SHA-2 in the small type to the unwashed masses as an improvement over that puny SHA-1 LinkedIn so foolishly relied on.
Of course, 24 million Zappos users will know that SHA-2 didn't prove to be a paddle once they got up the password river.
Change. We need it. What do you think it should be?
See also:
- LinkedIn password breach: How to tell if you are affected
- Checking for password duplication in in Keychain Access and 1Password
- Facebook boots mobile security in wake of LinkedIn breach
- 25 most used passwords revealed: Is yours one of them
- Zappos breach highlights fragile password, personal data security
- Last.fm investigating 'security issue,' password breach