April 2015 Innovate

Preparing For The Password Apocalypse

Written By: Erica Brown

As cloud computing continues to expand and our lives become irreversibly entwined and interlinked with our technology, the effectiveness of our passwords is dying. Here is why.

All security systems must navigate two necessary and conflicting aspects: privacy and convenience. Systems with excellent security that are a total pain to access don’t get used. If, for example, in order to access your online banking account you have to log in with a 200-character password, enter in a code from your cell phone and answer six personal questions, you are unlikely to use it. But, your data is probably secure. On the flipside, consider this extreme example: Think of any movie or show where you have famous politicians or celebrities who have a driver or bodyguard with them 24/7. This guy knows everything about his boss…everything, including all those risqué rendezvous with the female lead and any sketchy behavior that most would be horrified if others knew. Is the main character kept safe by this bodyguard? Yes. Would most of us be willing to sacrifice that much of our own personal privacy? No. And therein lies the biggest problem.

When it comes to our digital lives, we sacrifice security for convenience — we just aren’t aware of how much we are trading.

Before we dig in to what is at risk, who are these hidden people who are supposed to be so scary anyway? Overseas syndicates and children. You read that correctly. We are up against the mob and the 14-year-old next door, and as a populace, we are unaware of the skills, methods and motives of both. The syndicates are in it for the money. And there is a lot of it to be had. Remember CryptoLocker? That was the software that basically took your computer hostage. You paid a fine of a couple hundred dollars and there was a chance you might get your data back…but probably not. That program alone extorted more than $27 million dollars in ransom payments, according to a CNET article citing the U.S. Justice Department. The FBI reports billions of dollars lost every year to repairing systems hit by attacks. And the teenagers? They are in it for the challenge and the joy that comes from getting a reaction. And they are more innovative, according to Mat Honan, a writer for WIRED magazine. He would know about cybercrime — in 2012, hackers destroyed his “entire digital life” in less than an hour.

We’ve certainly had some gains in security since 2012, but the way hackers got Mat was through linked accounts, which are still widely used and gaining in popularity (signing into Pinterest using your Facebook account, for example). So, hackers got one password and were then able to access Mat’s Apple, Twitter and Gmail accounts. From within his Apple account, they were then able to wipe all of his devices (iPad, MacBook and iPhone) including all of his messages, documents and pictures of his daughter.

You may think that this would not happen to you or your business. Your business is small, your data unimportant. This might be true if we didn’t make it so easy. In fact, attacks on small businesses are on the rise and attacks on individuals are becoming much easier as our personal data (like social security numbers) is bought and sold on the Internet. You know those security questions like “What is your school mascot?” or “What is your niece’s first name?” — I might be willing to wager that some digging on your Facebook page could reveal both pretty quickly.

But first, the hacker has to get your password. How do they do that? Even after a decade of lecturing, hackers still get us for being careless and using predictable passwords. There are lists and databases out there filled with the most common passwords. Hackers can use a free password-cracking software (easily found on the Internet) and simply go through that list until they find what works. There is also phishing. You know those tempting emails you get from “FedEx” about your delivery? That is phishing. The hacker mimics an organization or website, gets you to enter data and then they’ve got your information. Let’s say they get your email password. They can then search through your email for other information like your bank and credit card names, social media sites, Amazon accounts, etc.

In addition to phishing, there is also malware (hidden programs that dig through your computer, looking for data and sending it out) and key loggers, which actually log your keystrokes. Passwords don’t stand much of a chance in this scenario.

Ultimately, we are left with the fact that we aren’t going to go backwards. We will continue to put more and more data into the cloud. We will continue to become more connected. So, we have to design solutions that allow us to be safe in this new world — and single sign-on passwords are not going to cut it, no matter how complex they are. Passwords as we know them will die.

Also, if we think of convenience and privacy at two opposite ends of a continuum, we will better be able to gauge personally how far we want to go in protecting our individual and business data. We need to stop buying into the lie that just changing our passwords periodically is going to keep us safe. Big companies need you to create accounts and use those accounts. Recognize that their security is designed to protect people who are not aware of the tradeoff of privacy for convenience.

You simply can’t protect yourself from every scenario. But, here are a few things to do to significantly reduce risk:
• Don’t click through on suspicious email links. My habit is to go directly to the site I am trying to access rather than clicking through the email that has been sent to me.
• Don’t reuse passwords. If they get one, they get them all.
• Do invest in quality (not free) antivirus and malware protection.
• Do take advantage of two-factor authentication whenever it is offered. Yes, it is annoying, but it gives you an added layer of identification that (in my opinion) is well worth the inconvenience of rummaging through my purse for my cell phone to get the code.
• Do give fake answers to your security questions. If you think about it, you can come up with a way to make them easily remembered but not known by others.
• Do set up a unique email address to have password recovery emails sent to and never use this email address for anything else.
• Do consider utilizing a password manager. Auto-generated passwords are going to be more secure than what comes out of your head.

Leave a Comment