Today, it’s Twitter who fell victim to a breach from weak passwords. And it’s not surprising as we have seen username and password breaches at many online service providers over the years: Sony PlayStation Network, Gawker, Zappos, DropBox, Epsilon, LinkedIn, Yahoo and the list goes on and on.
The problem stems from two main facts:
1) Internet-based services/applications continue to grow and expand every single day and consumers take advantage of them
2) These services are all independent of one another and each maintain their own set of user credentials and put forth “best efforts” in protecting those credentials
Each online service issues their own set of credentials and need a simple method to onboard users so typically defer to usernames and passwords. End users have so many usernames and passwords, they tend to re-use them.
Unsurprisingly, usernames and passwords are commonly re-used across services, allowing criminals to execute database attacks to harvest accounts credentials that can then be used (or sold to other criminals) to obtain data or money from other online services. While online service providers do their best to protect user credentials, they just don’t have the breadth of resources to effectively provision a solution that is both secure and simple for end-users.
Let’s face it, the Internet, and all of its applications, services and information, is mature, mainstream, and has achieved mass adoption. It’s clearly proven its ongoing value to the world, but the security underpinning it has not received due attention and is slowly becoming the true Achilles heel.
Online service providers need to come together and start moving toward a stronger, easier approach to identity-based security. HTTPS will not cut it; database firewalling will not cut it; encrypted usernames and passwords won’t cut it.
The giants of the Internet need to move toward strong user credentials that:
- Cannot be stolen or replicated
- Can be easily leveraged across multiple service providers
- Are simple to use on an ongoing basis (preferably by leveraging something the user already has, like a smartphone)
The good news is that the underlying technology exists, is proven and it’s standards-based. The bad news? An event more significant than a Twitter breach will have to occur before we wake up and smell the coffee.