
Kill the Password: Why a String of Characters Can't Protect Us Anymore - ldayley
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Top+Stories%29
======
gabemart
>This summer I learned how to get into, well, everything. With two minutes and
$4 to spend at a sketchy foreign website, I could report back with your credit
card, phone, and Social Security numbers and your home address.

I simply don't believe this. Absent a keylogger or some massive security
breach with Google themselves, I can't think of any way an attacker could get
into my gmail account short of rubber-hosing.

The author hand-waves all of this by saying "let's say you're on AOL". Well,
let's say I'm _not_. Let's say I have an account at Gmail with a > 20
character password and a > 20 character answer to the password reset question.
If someone can break into that within a few minutes, they are __severely
__undercharging at $4.

~~~
kibwen
I agree that it's hyperbole, but there's one more factor to consider:

 _"The hackers persuaded Apple to reset my password by calling with details
about my address and the last four digits of my credit card. Because I had
designated my Apple mailbox as a backup address for my Gmail account, the
hackers could reset that too, deleting my entire account—eight years’ worth of
email and documents—in the process."_

For anyone who had an email account prior to Gmail's launch in 2005, I'd wager
there's an excellent chance that they initially linked their prior account to
their Gmail account while signing up. In fact, reading this article has made
me realize that I'm in the exact same boat; I still have my Gmail address
linked to an ancient, dormant email account on a relatively-insecure service
(I trust them more than AOL, but not nearly as much as Google).

~~~
debacle
I'm lucky. My university deleted my old inbox ages ago!

~~~
Egregore
Are you sure? Then they can create a exact copy of your university e-mail for
another person.

------
lucb1e
Passwords are fine. The way we handle them cause the major leaks we're seeing.

For the record, I've had viruses and have been hacked in the past, but it
never did any significant damage. Accounts are separated (unlike the writer of
this article's), different services on my server are isolated as much as
possible, I use a number of password levels, etc. The hacks were due to
carelessness, something that can always happen accidentally. What should not
occur is that you're completely fried when one account or one technology
fails, like the writer of this article was (his twitter got hacked, all Apple
devices were wiped).

What I think should happen is an improvement in terms of how we store password
(for starters, don't write them down and put them next to your pc), how we
enter passwords (keylogger vs. password manager hacked problem), how passwords
are transferred, how passwords are handled on the server, and how we can do
password-equivalent actions. By password-equivalent actions I mean anything
that bypasses the need for the password, such as password resets.

When these things are improved, passwords are still perfectly fine in 2012.
For high-risk systems such as banks you surely might want to use two-factor
authentication, but generally a password should be fine - or at least an
option for those who think they can keep it safe.

~~~
Cherian_Abraham
This comment reflects a lack of understanding of how non-IT folks deal with
passwords. As the number of services we consume on the web have exponentially
increased, the difficulty in remembering all those passwords have led the
majority of us in keeping 2 or 3 passwords for the whole lot- leading to what
the author of the Wired article was guilty for.

That's not stupid, that's just how folks who have other stuff to worry about
in their lives, do with a technology they hardly understand. Security
frameworks even for banking systems primarily depend on passwords and little
else. It's similar to "getting past the gatekeeper to the fort, and then
having access to the Armory, Queens Chamber and the Royal Safe". Access should
not be granted because you could recite 10 characters in the right order. It
should be granted after having fully understood the context of your attempt,
the history of the account and the account holder, and doing KBA (knowledge
based auth) commensurate with the damage that could happen if the wrong person
accessed that account.

Passwords should die a horrible death. They are a mere fallacy. An illusion of
security.

~~~
lazyjones
> This comment reflects a lack of understanding of how non-IT folks deal with
> passwords.

If that is so relevant, we should also kill online (and offline) banking,
selling used cars and insurances etc. ... Because clueless people will get
owned and scammed everywhere.

What the article neglects is pointing out the total failure of Amazon, AT&T
and Apple to protect their customers. It's complete nonsense to allow identity
theft on the basis of information that is easily obtainable (credit card and
social security numbers - they've been exposed hundreds of times and are no
secrets). Class action suits might fix that in the long run, but at least
don't blame passwords when they weren't the weakest link.

~~~
Jabbles
"If that is so relevant, we should also kill..."

No, because although some people may get scammed, there is still massive
overall benefit to those services.

------
mitchi
Some comments on Wired are hilarious :

# Tired of hearing you cry about getting hacked dude. Get over it. #

#This guy is the laughing stock of our organization, he's almost achieved meme
status. This guy is a "technical" writer at Wired for god sakes. A magazine
I've been reading since almost Issue 1.

He's comes off as if he's been traumatized by the experience, like he's
survived some sort of violent crime. It's an insult and he just keeps milking
this experience over and over again.

I've been working in IT Security for almost a decade, his experience is
trivial compared to some of the incidents I've worked and seen.

Maybe he's just milking his tale as link bait, who knows, but I'm tired of
hearing him whine.

Grow a pair and move on.#

#"Tech writers" that don't backup or protect their data obviously chose the
wrong career. Honan is a bigger joke than Wired has become.#

~~~
aes256
These comments summarize my thoughts rather eloquently.

Clicked through to the article expecting something interesting, left almost
immediately upon realizing it was just Mat Honan milking his hacking _once
again_.

------
debacle
> My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19
> characters, respectively, all alphanumeric, some with symbols thrown in as
> well—but the three accounts were linked,

No, you had one 'robust' password, one good password, and one godawful
password that you should feel bad about not securing better.

And then you linked all of the account together, basically putting all the
keys in the kingdom in the weakest safe you had.

It was a poor decision, and has nothing to do with the strength of passwords
as a data protection mechanism.

~~~
_djo_
I seem to recall that Honan's accounts were hacked not because of his password
strength, but because Amazon and Apple at the time had flawed password-
recovery options that allowed an attacker to reset his password.

~~~
masklinn
That is also my recollection of the event. Basically, the recovery process for
one gave away the secret allowing resetting the password on the other one,
something along those lines.

~~~
mitchty
That and being able to add any credit card to an Amazon account with a little
social engineering. That was rather important.

------
zalew
> _After watching lots of movies, many of us would like to think that a
> fingerprint reader or iris scanner could be what passwords used to be: a
> single-factor solution, an instant verification. But they both have two
> inherent problems. First, the infrastructure to support them doesn’t exist,
> a chicken-or-egg issue that almost always spells death for a new technology.
> Because fingerprint readers and iris scanners are expensive and buggy, no
> one uses them, and because no one uses them, they never become cheaper or
> better._

related: mythbusters hacking (a probably not that advanced) fingerprint
protection <http://www.youtube.com/watch?v=3Hji3kp_i9k>

Today I've read one of Polish banks is going to test out fingerprint ATMs. Not
that I have ammounts worth cutting my thumb off, but I wouldn't opt-in for
that.

~~~
igouy
'Vein readers, on the other hand, are fast and accurate. “Finger veins are
also very difficult to steal,” Kitayama points out. Even if a thief were to
hack off your hand to fool a vein scanner, he’d have to keep all the blood
inside your severed appendage to make it work.'

[http://spectrum.ieee.org/biomedical/imaging/the-biometric-
wa...](http://spectrum.ieee.org/biomedical/imaging/the-biometric-wallet)

------
AndrewDucker
Passwords should be a last resort.

Things like BrowserID/Persona are what web sites should be moving towards -
verify my email address is real, don't ask me to manage a set of data to log
in with.

Edit: Here's the kind of thing you can do without ever needing to go near
passwords: <https://github.com/wrr/wwwhisper#readme>

~~~
jcfrei
Persona and BrowserID still rely on passwords at some point. I believe the
currently most realistic alternative to passwords is a time based
authentication with a personal device (ie. a device you always keep with you,
like your smartphone). my online banking provider does this as well and has
abandoned passwords altogether.

~~~
koide
I'm divided. Smartphones will probably always be much less secure than
specially designed one time password provider hardware.

On the other hand your smartphone can get more secure with updates and your
token provider will surely be much harder if at all possible to upgrade.

Anyway the point is moot, if such a scheme is ever viable (as in most people
will have one and you can implement it in many websites without having to be a
bank) it will be through smartphones.

~~~
maxerickson
I sort of think I want a dumb phone and tablet more than I want a smartphone.
It would be nice if the tablet(or other nearby computers) could ask the dumb
phone for authentication.

Not a solution for everybody, but it would be nice if it were at least a
possibility.

------
neonshot
Passwords in my eyes are all but useless.

The password requirements of my current company have got so insane now an
average human _cant_ remember them and therefore have to write them down

Defeating the point of having a secure password in the first place.

~~~
flyinRyan
Companies are absolutely stupid about passwords. They usually have a rule that
says 3 fails equals a locked account.... so one bad apple could use any
computer in the company to literally lock every single employee out without
knowing anyone's password.

------
NelsonMinar
The real solution here is a delegated authentication protocol like OpenID,
BrowserID/Persona, OAuth, or Facebook Connect. Asking users to maintain 100+
strong passwords is ridiculous. Password agents like 1Password or LastPass
work OK for now, but those agents become high value targets themselves and the
core design is not very secure.

Delegated authentication designed from the beginning to be secure is the
solution. And we've had technical implementations of that going back at least
10 years (Microsoft Password, client-side SSL, OpenID). The reason they
haven't succeeded is a combination of product design and political problems.

Mozilla's BrowserID / Persona project is looking promising. Tim Bray at Google
has also been talking about identity a lot lately, maybe Google will offer a
solution too.

------
dradtke
> they used my Apple account to wipe every one of my devices, my iPhone and
> iPad and MacBook, deleting all my messages and documents and every picture
> I’d ever taken of my 18-month-old daughter.

If having an Apple account gives that much control over your data, then that's
your own fault for having one in the first place.

~~~
ommunist
Yep. Geeks backup.

------
1SaltwaterC
"My Apple, Twitter, and Gmail passwords were all robust— _seven_ , 10, and 19
characters"

He lost me at seven.

~~~
krapp
my gmail password is close to 40 characters. It would be impossible to manage
without keepass. I just assume that any password you can recall from memory is
not secure enough.

~~~
ontheotherhand
Ditto. I've switched to generating passwords that are as long as the site
allows (well, up to 80 or so, with spaces and special characters and whatnot).

I think I'd rather stop reading FUD articles on Wired written by noobs, than
give up passwords.

~~~
Thrymr
Good for you. But 99.9% of people are not as careful, and will never be. You
can't change them. They will continue to use the same password of minimum
allowed length for multiple sites, and store it in plain text on their
desktop. The designers of technology need to be aware of how it is actually
used by real people.

------
Thrall
The issue here clearly isn't the passwords. Take your pick from:

* Trusting the 'cloud' (by whatever name) to the extent that you don't keep a local backup of your important data.

* Linking all your online accounts together for the convenience of anyone who wants to hack them. (I like to think of this a the 'gift-shop-attack"; The castle seems strong and easy to defend, but there's always a gift shop with just a little old lady watching over it!)

* etc. etc. etc.

------
Florin_Andrei
> _they used my Apple account to wipe every one of my devices, my iPhone and
> iPad and MacBook, deleting all my messages and documents and every picture
> I’d ever taken of my 18-month-old daughter._

And this is exactly why I have an offline copy of all important documents.
It's just a humble 1 TB USB drive that gets synced once in a while. I keep it
at the office, just in case the house gets burglarized.

Actually, two offline copies would be better. Gotta think about that.

------
tallanvor
Honan ran into a couple of problems, an correctly noted them:

 _His accounts were all linked together - gaining access to one made it easy
to gain access to others._ Social hacking was used to either gain access to
accounts and/or change the passwords.

Do we as an industry need to improve how we store passwords and manage
interactions that could allow unauthorized people to take over or otherwise
gain access to accounts? Yes. Does that mean doing away with passwords? No.

------
atacrawl
My perspective on online security is the same as real-life security -- if
someone who _really_ knows what they're doing wants to get to you, they'll get
to you.

------
mrcrassic
"his summer, hackers destroyed my entire digital life in the span of an hour.
My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19
characters, respectively, all alphanumeric, __* some with symbols thrown in as
well—but the three accounts were linked, __*"

Emphasis mine. Enough said. Passwords are still pretty secure; two-factor
authentication makes it even more so.

------
sp332
I always liked this Password Reuse Visualizer for Firefox:
[https://addons.mozilla.org/en-us/firefox/addon/password-
reus...](https://addons.mozilla.org/en-us/firefox/addon/password-reuse-
visualizer/) It shows you how much you reuse passwords, since you might not
even realize how often you reflexively type the same thing into any "password"
box.

~~~
Shorel
I use a layered approach.

My gmail password is the safest (longest) one. Nothing else uses that
password.

Then it comes the second layer. I use a safe (16 chars) password for other
services that are not gmail.

Then third and fourth layers, for diminishing levels of importance, each layer
has a password.

And finally a somewhat insecure (14 chars) for the standard fire and forget
services.

I definitely reuse the insecure password a lot. And I don't care.

------
aidenn0
At no point in the article is the password the weakest link. Crappy password
reset forms are the weakest link. If we switched to e.g. hardware dongles for
security, we would still have this link for "lost my dongle" I don't see how
any form of authentication will work so long as companies provide a means
around it.

------
bproctor
Password reset questions are the problem. Their a back door into your account.
I hate when a site forces me to enter them. When I do, I answer then with
something completely different than what the question is.

~~~
laumars
Agreed. I usually randomly mash the keyboard

------
georgefox
He mentions that there are "shockingly complete" SSN databases available
online. Is there any more information on this? Any way to find out if your own
SSN or that of a loved one might be in such a database?

~~~
kscaldef
Your SSN was never intended to be a secret, and the fact that anyone ever
treated it as such was a flawed idea.

~~~
georgefox
I completely agree. Unfortunately, many places that use SSN for identity
verification don't seem to think so.

------
astangl
So his conclusion is we have to have more of a Big Brother state, to track our
whereabouts at every moment, with the assurance that this will help assert &
protect our identity?

Give me a break...

------
rglover
I've personally enjoyed some of the new image/touch based passwords I've been
seeing lately. The best example I can give is the Windows 8 ad where they show
people drawing on top of a picture as their password.

Something to make it more visual would be cool. If I could go to a site and
draw a little picture in a box (obviously this is better suited for touch
devices), I think that would be pretty hard to crack. Right (I'm the furthest
thing from a security expert)?

~~~
danso
This sounds like a disastrous mechanism. The problem is not the passwords
themselves, but how we manage them. Given how people are already too lazy to
think of a barely secure password, I'm not optimistic that they'll put up with
non-trivial drawings.

~~~
rglover
I guess that's true. But is that the big limitation, laziness?

~~~
zxcdw
Lazines is the exact reason people don't bother with correct password
management. Lots of people know that password re-use is bad. Yet almost all of
us practice it to some degree. Lots of people know that passwords should be as
long as possible and as "random" as possible - yet only a select few truly
follow this. Why? Because it's just _easier_ to type "john123" than
"Jh98N%@badmouthpiecez". Ask anyone which one is a better password, and what
would they prefer and what would they _truly_ end up using. Laziness.

The problem with passwords is not their strength. It's not the passwords
themselves. It's the way people use the web. For example in the article the
author mentioned that because he had all the accounts linked, breaking one
meant ability to break the others. Well duh! Perhaps try _NOT_ linking
accounts together like that next time?! Oh? It's hard? It's not. It's
_inconveinient_. We're lazy and we want our stuff to be in one place, "cloud",
because "it just works". And when shit just hits the fan, you're screwed. Not
because of passwords, but because of the way you manage your "digital life".

The whole "digital life" concept is utterly retarded from security point of
view. Not the passwords.

------
cedricd
What people aren't really mentioning on this thread is what sort of burden a
non-password system adds to the average site developer

What's the answer? Have all sites use OAuth and delegate to sites like FB /
Twitter and hope they get more secure?

I've seen sites like <http://www.loginprompt.com> that try to provide
authentication as a service, but they're all still fairly rudimentary or
expensive.

~~~
flyinRyan
I hate OAuth and all related technologies with a passion. My personal strategy
is that any targeted site can be crack and my password is probably stored
there in a reversible format (if not straight plain text). So I don't expect
to secure any given account, only isolate it from all others. That means I use
as secure a password as the site allows (some sites don't let you use
symbols!) and always totally different. I use a password manager to keep track
of these passwords for me so even I don't actually know what they are after
I've made them.

But my whole strategy is defeated behind my back because of this idiotic
OAuth/whatever technology. Now only one of my accounts needs to be hacked on a
high profile site and suddenly every site that gives an OAuth option is
compromised for me, even though I've never used OAuth one time.

------
igouy
>>What about biometrics? ... the infrastructure to support them doesn’t exist
... any one-factor system<<

80 000 ATMs in Japan use vein scanners.

Biometrics are used as part of a three-factor system.

[http://spectrum.ieee.org/biomedical/imaging/the-biometric-
wa...](http://spectrum.ieee.org/biomedical/imaging/the-biometric-wallet/0)

------
rodolphoarruda
Tl-dr Does the author elaborate on the use of personal digital certificates?

------
damon_c
Door locks are no better.

~~~
sp332
But at least people realize that doors aren't perfect, and get things insured.
Even bank vaults aren't perfect, that's why the FDIC insures money in bank
accounts. People never think about their passwords being insecure, so they
don't take any precautions against breaches.

~~~
sswezey
FDIC does not insure money in vaults against theft, they insure it against
runs on the bank or if the bank goes under.

------
Aardwolf
It would be annoying to have to walk around with 10 or more OTP devices
though...

~~~
jgrahamc
You don't have to do that given that things like Authy use an open standard
for two factor: <http://www.ietf.org/rfc/rfc4226.txt>. That's the same
standard that the Google Authenticator implements. So, you'd really only need
a single app.

~~~
matthiasb
I think Aardwolf point is: if you have 2 different service providers (let's
say DropBox and Google) authenticate you with an OTP generated from a single
OTP seed, they would need to share that seed on the server side and they
won't. Today, I have one OTP generator for Google and one for DropBox.

~~~
jgrahamc
Yes, but that's not what Authy (and RFC 4226 in general) are expecting. They
are allowing multiple seeds in the same app. So, you use one app and get
different OTP for different sites.

~~~
matthiasb
The article mentions "Matthew Prince protected his Google Apps account with a
second code that would be sent to his phone—so the hackers got his cell
account". It means the phone was not secure enough to protect these codes. A
dedicated hardware token is more secure, but if you have to carry 10 devices
on your keychain, this is not very elegant and annoying.

~~~
jgrahamc
Matthew Prince is my boss and I know what happened there. He was not using the
type of system I am talking about (based on the RFC) but a system that does a
voice call or SMS.

------
nemoto
So, in the future, what alternatives that would replace password?

~~~
mastofact
How about SSH-keygen? That is, the same with committing to GitHub and logging
in to SSH via putty with pageant?

I'm sure there are quite a bit of downsides to this method and it will resort
to even logging in with some sort of "password."

~~~
acabal
I like private keys instead of passwords in theory, but in practice, I'm
scared that I'll misplace the private key file, rendering all of my data lost
forever. Private keys can also be lost (stolen laptop?) or misplaced. Or what
if you're traveling and your laptop gets busted, how do you safely and quickly
transfer a private key from your home storage to where you are? I'm not a
crypto-expert, maybe these questions all have easy answers--but they're not
obvious, at least.

Memorable passwords are in your brain for the long-term, and can't be lost or
stolen. (Well, aside from improbables like torture.)

~~~
bartwe
A password database on a service where you don't lose it ?

------
ommunist
Geeks backup. 'Wired' authors do not.

------
ommunist
Password is 100% good if you do not use Windows.

~~~
matthiasb
This is so wrong. Hacking an online account does not necessarily involve
hacking the user's computer. If your HN password is "password" or "hn", I
won't need to spy on your files to get in your online account.

~~~
ommunist
If you are using secure OS, like *nix, there is really not much opportunity to
spy on your files for outsider. The article is ignorant, like most of the
stuff on Wired, and in fact is more encouraging script kiddies to play, than
educating users how to employ better practices to protect themselves online.
Instead of mentioning Zeus, it would be better to explain users the basics of
public key cryptography.

