passwordscloud

Passwords – The end?

I have started seeing a lot of posts recently about the end of the password, only for it to be replaced with cheap and disposable biometric hardware. But what about security, what does biometric hardware have to offer that passwords can’t provide, and what do passwords have that will always make them superior over biometrics?

Let me start with a little bit of history around the password. Chapter 1, in the year 220BC, Roman legions used watchwords to confirm they were who they said they were and didn’t get stabbed by some burly man in a skirt wielding 30 inches of solid iron. This was still used right into the height of the second world war (and potentially even further).

Modern passwords still perform exactly the same function, to identify an individual from another. Why are passwords still around? Because they are simple, easy, and effective. We use them for everything; our online banks, our social networks, our corporate accounts, our “random account that receives millions of junks a day” accounts… they all use them. So why should it bother us that they want to get rid of them? Why will  biometrics become a bigger hindrance than the password?

But what is it about biometrics that developers are finding wonderful and seeing it as the replacement of the humble password? Why does it appeal so much that they’re starting to release biometric devices (including dongles and phones) to unlock our accounts. Apple have had it in their latest iPhone for a while, Paypal are using it, Samsung are developing, Google are developing, Microsoft are developing…

I still don’t see what all the fuss is about. I don’t want to have to touch some piece of plastic just for it to tell me that my fingerprint is wrong, or look in to an iris scanner and it suddenly decides that my eyes are the wrong shade of blue. Yeah, I hear you complaining too. Don’t worry about this though, biometric scanners have built in advanced ratio calculations. Using this as a really (and I mean seriously) dumbed down example, I’ll try and explain what I mean.

Out of every 10,000,000 people, allow for 0.005% invalid attempts.

What this means is that 500 people will be let through, even if their scan failed. However, it’s not that simple. It’s based upon a score, the score of how much of the biometric detail matches. So now, we have the following example.

Out of 10,000,000 people, allow for 0.005% invalid attempts that have a score of 70+/100.

Now what this means is that 500 people that were wrong have to have scored 70 or more out of a hundred to get through the system. Out of those 500 people, 20 people may have scored 71. Their biometric detail was wrong – but they still got through because it was 70% similar or greater.

Of course, this is a lot more complicated than I’ve described. Mathematicians and system architects have slaved for many years to come up with a ‘pitch-perfect’ algorithm for getting it right every time – but they have still been very unsuccessful. The technology isn’t error free (I know, neither are passwords, but it’s easy to forget those…) and the technology still can’t distinguish between actual fingers and photocopied paper cutouts (Mythbusters). Until they fix this problem, then passwords will always be more convenient.

One other massive problem with biometric data is that it cannot be changed (for identification purposes). You cannot change your fingerprints, or your irises, and you definitely can’t change your DNA. Alongside this problem, there lies the massive issue of data collection. Own their fingerprint and you’ve suddenly got the upper edge – you can sell it to hackers (so they can generate replicas in silicon), you can sell it to corporate companies for analytics, or you can even sell it to governments for their people-tracking databases!!

So what can you do to make your password secure enough to make it relatively difficult for an attacker to gain access to your account using it? Well, this simple list should make it easier:

  • Never use a simple password – Many companies now have started making it harder for you to use simple passwords (such as “password” and “abc123″), and forcing you to use combinations of lowecase and uppercase letters, numbers, and symbols. It doesn’t necessarily have to be this complex (though I will post another blog post at a later date around this with actual data/results) but using a combination of 3 of the above with a minimum length of 8 characters, you should be safer than if you just use an easy to guess password.
  • Never use the same password – Not only does this mean for the same website, but different websites. It is paramount that every single password you use is different (or at least different passwords for the services which matter (bank, email, social)). If you do use the same password and the attacker manages to get it, there’s a very good chance he’s going to try every other one of your accounts to try and compromise them.
  • Change your password regularly – You should change your passwords at least twice a year (for not-very-important things), and every quarter (3 months) for very important things. This habit will make it a lot harder to guess your password, and don’t just add a “1” to the end of it either – this just takes slightly longer to guess (but doesn’t change the strength). Choose a completely different password that’s easy to remember.
  • Take indicators of compromise seriously – If a company tells you their password database has been compromised – change ALL of your passwords immediately (more-so if your passwords are the same across multiple websites. If your password has been stolen – it may have been stolen for as much as 10GBP for a list of 10,000 – something that’s extremely valuable to hackers/scammers. If you’re a victim of password theft, change your passwords immediately, and also change the email address tied to the account (there’s a chance they will attack that one next…)
  • Use “2 Factor Authentication (2FA)” – Now that passwords are taking less time to crack (still a matter of years in some instances), additional layers of security are needed to enhance the way we protect our data. One way is to use technology like “Google Authenticator” or “Authy” to provide a constantly changing 6/8 digit number to the user to enter once they have entered their username or password. Facebook has similar technology built into their Facebook app (or alternatively they  can text you a one-time password).
  • Enable account alerts – This essentially means that if someone other than you logs into your account, you will be sent an automated SMS or email notifying you that this event has occurred. This won’t provide any form of protection other than you getting a notification that it has happened. It’s useful, but it’s not something you should go out of your way to set up.

So, to conclude… Biometrics might be super exciting and awesome – but the real fact is that they will always be vulnerable in the sense that they cannot be changed. Once you get old, you might get cataracts, or your fingers may become wrinkled and disfigured – suddenly you can’t access your accounts. Yes, you might forget your password, but at least you can request a new one. You can’t request a new finger…

If you enjoyed my blog, you can follow me (box on the right) and you get a lovely email when I post something new. Alternatively, you can just see  me on Facebook/Twitter/Google+ and see what happens when I post something!

Heartbleed

As you may (or may not) be aware, the entire Internet was held to ransom by a simple bug in the globally used and accepted OpenSSL Library. This bug simply meant that if the user sent a request but said that the request was bigger than it actually was, the server would send the contents of memory up to the size the user said it was.

This bug officially existed in OpenSSL for over 2 years but was only brought to the publics attention over a week ago. This means that there is the potential for over 2 years worth of data acquisition and spying by attackers and potentially government installations……… Who knows? They’re denying it, but they also denied a lot of things (for the record, if you never see another blog post — farewell my lovelies!!)

XKCD have nailed this one on the head with their hyper-simplistic example:

heartbleed_xkcd

This bug meant that an attacker could get anything that is currently being used by the server. This could be status updates, HTML code, messages, emails, passwords… The list goes on. However, it should be noted that the chances of getting anything ‘juicy’ from the server is very slim.  Not only are the chances of getting anything juicy very slim, you would have to run this script plenty of times to get anything useful.

One of the most worrying things is that the private key of the server could be acquired. This means that the attacker would be able to decrypt the messages sent across an encrypted connection. HOWEVER, the attacker would have to sit between the user and the web-server and perform a man-in-the-middle attack. The logistics behind this are somewhat tricky without introducing malware to route data through the attacker.

Many people are wondering whether to change their passwords. My recommendation is that you should without a moments hesitation… This is because some people use the same passwords across different services. If one of your passwords was compromised and you use the same password across multiple services, all of your passwords will be compromised. This means that you should change all of your passwords immediately, no matter how complex they are.

Where does this leave us now? Are we going to doubt security protocols being enforced because one of the biggest open encryption libraries in the world had a vulnerability for over 2 years? Absolutely! Should we take extra precautions while online? Absolutely! Are there going to be issues like this again, and what can we do to prevent it? It won’t be too long before more bugs are found with encryption software like OpenSSL and gnuTLS, but by supporting the developers, they can focus more of their time and abilities into fixing bugs and making the web a more secure place.

 

PridePlace_WPLOGO

[PP] Looking Forward!

You’re probably wondering whether you’ve seen a post similar to this before on my old blog…. you’d be right… you have! Except now you’re seeing this because the old one has gone (see this).

Well, onto the formalities. The PridePlace project is officially back on the road and the wheels are in motion to release a social network for members of the LGBT community by the end of 2014! After a long hiatus, I have taken the decision to move forward with development in a 9 month strategy to get the website released! It’s going to be a long and arduous road, but with the right amount of determination and dedication, it’s going to be possible.

Currently, the website is just skin and bones. There is no substance; all of the good stuff is still in my head (amongst many other things..). So, over the next 9 months I am going to be feeding the website with the contents of my brain to build this wonderful masterpiece and have it released on the 1st of January 2015 (it seems a little bit ambitious, I know…).

Between now and launch, my fingers will be worked to the bone to ensure that I stay on target and actually implement everything I say I am going to implement. Don’t worry, once it gets towards testing,  the lucky users will have the opportunity to request what they want.

Once we get towards October/November, I am going to come back to you all and ask you to help me out – I’m going to ask 150 of you to help me break the site to fix it again, and 1000 of you to help  me improve the site. You’ll be rewarded with gratitude and be amongst the top of our featured users page for special recognition!

More information about our 9 month plan can be found here! I will also be posting weekly updates with monthly summaries so you can track our progress and start taking bets as to whether we will launch by the 1st January 2014…

Why am I telling you this? Well, I need your support. I don’t want your money, or your words of encouragement… I want you to promote PridePlace. I want you to let people know what we’re going to be about. Starting next month, a massive advertising drive on Facebook and Google+ (maybe even Twitter) will take place… and I need your help. Don’t worry about it for now though, I will post more details in the near future.

mnj9j

Back online!

As you may have been wondering, my blog disappeared recently for a number of weeks (5 to be exact). The reasons it went offline are because it hurt me too much using archaic software and poorly supported packages which most needed manually updating in order to keep them secure. But now I’m back! The blog is all shiney and new (I forgot to back up deleted the old one purely because it was slow and boring and BLAH!!) which means that hopefully I’ll be posting a lot more stuff!

I intend to blog a lot more, but one of the things that I am going to blog more on is the little project I’m working on. I intend to post weekly service updates regarding the status of the project, I intend to post monthly updates regarding the timeline of the project, and I will be hosting a gigantic launch party when we’re ready to leave the alpha stages!

To view the plans, timelines, and updates, please navigate to this link to go to the relevant section of the website!