Last Friday my friend Bob McMillan wrote an article on Wired (Google Declares War on the Password) which talks about a research paper Google will publish this month. I don’t know how many times we have mentioned how important it is to choose a good set of passwords, at least 1,000 times 😉 We have written about that in this very same blog, as well as in our tech support blog La Piazza.
However, most users are still using the same password for all online services (Facebook, Twitter, PayPal, eBay, Amazon, Google, etc.) and even worst, that password is created either from personal information (as if I used “luiscorrons” as password) or really simple ones so they can be remembered easily (“12345″, “admin”, “password”, etc.)
Probably, as a reader of this blog you are concerned about security and you have different passwords for each service, without personal information so they cannot be guessed, etc. Now the question is: even if we use different and strong passwords, are we safe? And let’s be honest: no, we are not safe. A simple password cannot guarantee our digital life safety. That’s why 2 factor authentication has been in place for a few years. At this point it is mandatory to read what happened to Mat Hogan to find out what are we risking, and how all our digital life can be compromised or even erased. And even more importantly, how he describes that if he had used Google 2 factor authentication the attack on him would have probably failed. However, this doesn’t mean that passwords are useless. It is the very first layer of security, and as such it is important, and currently it is the only way to authenticate in most places.
At this point you may think on the 2 factor authentication as the holy grail. But it is not. Of course it improves security, but even if we use a second device for this (our smartphone, for example) we have already seen attacks that can circumvent these measures, being banking Trojans one of the best examples. But this doesn’t mean we don’t have to use it, only that we have to be aware of these attacks. Other 2 factor authentication approaches involve the use of dedicated hardware, such as the RSA SecurID. And I am really looking forward to that research paper from Google, which will propose new ways of improving user validation.
But what’s this all about? At the end of the day, what we are doing is identifying ourselves, showing proof that I am who I claim to be when I access my Facebook account. Another approach could involve biometric authentication, which could avoid having to use complicated passwords. And we’ll probably get there, in fact a number of smarthones can already recognize his owner using this kind of techniques.
However, remember that there is no perfect system, and whatever we use, it has to be translated into binary code. What if someone is able to steal that information? We can change a password, but changing our fingerprints might be a bit more difficult. But don’t panic yet, biometric authentication doesn’t mean that you have to scan your fingerprint and have it sent to Facebook or whatever site we want to access to, once scanned. In the same way that the best approach for passwords is that one where the website (or whatever service you are using) does not store your password, but only salted hashes of it, we *shouldn’t* see anyone sending your biometric information.
Let’s see what this new proposal from Google is, and we’ll see if it can help protect our identity.
I agree that passwords are mostly worthless at this point in the digital evolution. I equate them to screen doors at worst – only keeping out minor, passing attacks by gnats and mosquitoes. At best, such as with a two part system, they are like a deadbolted door – they will keep out thieves who are looking for an easy mark. Someone who really wants into your house will get in, no matter how many locks and bolts you have on the doors and windows. The same goes for your online presence. If someone really wants to hack you, they will find a way. Government websites being hacked are prime examples. I don’t have a great solution. Biometrics are ok as far as they go, I suppose, but so far security has been cracked before it is even released. Good luck with this project, Digital Gurus!