High on the White House’s hit list: The series of letters, numbers and symbols you type in when you access everything from your bank account to your Netflix list.
“Kill the password dead as a primary security measure,” urged Michael Daniel, the president’s cybersecurity coordinator, at the International Conference on Cyber Engagement, held recently at Georgetown University in Washington, D.C. As more and more devices connect to the Internet, we need to develop new ways of confirming our identities, he said.
Technologists wonder, though, whether using fingerprints, faces or devices to log in would help or hurt the cause of data security and privacy. Businesses, meanwhile, have mostly taken a pass on investments that would allow them to move beyond the password.
“I would love to kill the password dead, but I don’t know what we can replace it with that would be viable now,” said Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory, which has studied passwords.
Hackers send “phishing” emails or make phone calls to fool people into giving up their passwords, or use sophisticated software to flood systems with educated guesses.
According to last year’s federal indictment of five members of China’s People’s Liberation Army, that country’s cyberespionage Unit 61398 “stole the usernames and passwords for at least 7,000 employees” of Allegheny Technologies Inc., a specialty metals company headquartered in Pittsburgh, “allowing them to monitor activity on those systems and to steal ATI’s information in the future.”
“The beauty of the password hack is, it’s not elegant,” said David Kane, CEO of Ethical Intruder, a Pittsburgh company that helps clients find vulnerabilities to hackers. “But if I get the password of the CEO, people will never know that I hacked into the system.”
Though the five Chinese hackers have not been arrested, the indictment handed down by U.S. Attorney David Hickton was heralded at the conference as an important warning shot. However, it hasn’t awakened every corporate IT department to the vulnerability of password-protected networks.
“Unfortunately, I think companies are probably pretty far behind in actually making that big switch” from passwords to more advanced network security, Kane said.
Technologists all over the world are floating apps that unlock your phone only when they see your face, fingerprint readers and retina scanners that connect to PCs, and wearable devices that automatically fill in your passwords but lock your computer when you step away. All have weaknesses.
“People are wary of the fingerprint. They’re wary of the eyeball scan,” Kane said. “It already has been proven with biometrics that if somebody can lift your fingerprint” they can enter your print-protected accounts.
There’s no guarantee that a fingerprint, once digitized, stored on a device and transmitted, can’t be snatched by a hacker, said Jeramie Scott, national security counsel for the Electronic Privacy Information Center.
“Unlike a password, once a biometric is compromised, it can’t be changed. That’s it,” Scott said. “We don’t want to trade off one privacy issue for another.”
He also worried about the potential for “mission creep.” If we all use our faces to unlock our phones, for instance, what’s to keep corporations or the government from using that database and the growing network of cameras to track our movements?
A more privacy-friendly solution, he said, might be a combination of passwords and electronic devices to unlock accounts.
Some security-sensitive companies have equipped employees with key fob-style tokens that generate constantly changing passwords that control access to networks. That technology suffered a severe setback in 2011, when hackers broke into the tokens marketed by RSA, the security division of Massachusetts-based EMC Corp., and then penetrated Lockheed Martin’s supposedly ironclad network.
At the conference, experts agreed that as everything from your car to your pacemaker goes online, the need for something, beyond the password, becomes critical. “In some ways, the window for doing this is already starting to close,” the White House’s Daniel said.
Unfortunately, Cranor said, we’re not yet ready to put to bed the likes of babygirl123. “We don’t have a perfect solution right now,” to replace the password, she said, “or any solution that’s even close to a perfect solution.”
THIS PA$$WORD IS NOT VERY SECURE
The perfect password would be both unpredictable and memorable, but that’s a tough combination, said Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory.
As a leading researcher on passwords, she has seen thousands of them, and they’re rarely as clever as their creators imagined.
How about 1qaz2wsx? Sorry, that diagonal march down the left side of the keyboard is well known to hackers, who have programs that spit out the most common passwords and test systems, machine-gun style.
And if the hacker wants you specifically, they’ll check your social media for, say, the names of your pets.
CyLab student Blase Ur last month traveled to Seoul, South Korea, to present the lab’s most recent paper on passwords. The bottom line: “Random is best, but random is hard to remember,” so it’s important to find the right balance, Cranor said. “We’ve been looking at what are the ways that you can actually make passwords stronger without actually driving users crazy.”
So what works?
Long passwords — 12 characters or more — are much harder to predict than short ones, regardless of their composition, said Cranor.
Systems increasingly demand a mixture of letters, numbers, punctuation and capitalization.
That’s more secure, but can be far better if the capital letters are not at the beginning and the punctuation is not at the end, she said. If you always capitalize, say, the third letter in your passwords, that quirk can improve security while remaining memorable.
CMU’s studies indicate that exclamation points are the most popular password punctuation, so anything else would probably be better.
Beyond the obvious dumb passwords — 12345678, iloveyou, pa$$w0rd — Cranor advised to avoid your mother’s maiden name, children’s names or birthdays, or other easily identifiable trivia from your well-documented life. Random words strung together would be better than common phrases.
“Song lyrics?” she said. “Not such a good idea.”