These days, a password is a pretty weak barrier between a hacker and your private data.
At the end of the day, it doesn’t really matter all that much whether your password is five characters or 50. As a singular form of authentication, a password is decidedly weak. Maybe it could fly 10 years ago, but that’s not the world we live in anymore. The inherent vulnerability of passwords is highlighted by two recent breaches: an attack on game video streaming service Twitch and a separate incident in which Uber users’ passwords were stolen.
Twitch hack leads to password resets
In the gaming world, Twitch is a huge hub of activity. The service is like ESPN for gamers. You go to the site to watch live feeds of expert gamers playing video games, and can learn strategy from and interact with them. It’s a hugely popular platform, with 45 million gamers using it every month. Unfortunately, the site’s users recently experienced an event that temporarily brought them out of the world of video games and put them face-to-face with the reality of cyberattacks. In late March, Twitch experienced malicious activity on its servers that led to the service requiring all users to create new passwords, as Ars Technical reported. While Twitch employs password protection, the service admitted in an email to select users that “we believe it’s possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3.”
When password attacks like this happen, it doesn’t really matter if your password is long or short, symbols-heavy or just lowercase letters. If a hacker deploys malicious code that intercepts passwords as they’re entered, every entry has the potential to be stolen. That’s one reason every user was required to reset his or her password. But if a password hack on the site happened once, what’s to stop a similar one from happening again in the future? In this way, Twitch’s response to its breach – to have users create new passwords – doesn’t really solve the problem. Instead of mandating an additional identity-verifying wall in the form of two-factor authentication, Twitch merely asked its users to recreate something that will still be inherently vulnerable to attack.
Uber user password leak reveals lucrative trade of password selling
Twitch is not the only business entity making headlines due to password problems. The popular transportation service Uber is currently dealing with the news that thousands of its users’ passwords were put on the dark net for sale – although Uber has stated that it was not attacked.
The dark net is the hacker underbelly of the Internet. It is a place where cybercriminals communicate, plan attacks and sell (often illicit) things. Recently, a bunch of Uber usernames and passwords appeared on one such dark net site for sale to other criminals, as Mashable reported. But Uber said that the hacked passwords did not come from an attack on them.
In denying that a criminal intrusion had happened on its end, Uber also added: “This is a good opportunity to remind people to use strong and unique usernames and passwords, and to avoid reusing the same credentials across multiple sites and services.”
That is sound advice to be sure – but it is not enough. Which is to say, nobody’s arguing that you shouldn’t have strong and unique passwords. A weak password is easier to breach than a strong one. But when discussing password strength, what we’re actually talking about is a spectrum of relative weakness. So it’s time to change our approach to authentication.
Passwords are weak – so what’s the alternative?
The computing future we’re heading toward is one in which the traditional password becomes a secondary component of identity verification. The primary element will come in the form of something you, the user, uniquely possess – such as a smartcard or token access. This is the idea behind Entrust Datacard’s IdentityGuard authentication and identity management platform.
The platform is built on the premise that point authentication solutions don’t provide nearly the identity protection needed to handle the cyberthreats and vulnerabilities of the modern computing world. IdentityGuard dramatically improves enterprise, banking and government network security by providing an identity-based authentication platform that relies on methods of identity guarding that are far stronger than the password, including tools like mobile soft tokens, mobile smart credentials and smartcards.
The password is gradually being supplanted by better, more sophisticated and safer means of identity protection. In the near future, the idea that a single username and password separated businesses from their accounts will be unthinkable. This is the future we need to work toward.