Passwords are the Problem

This most recent attack is news because it is the largest on record, but apart from the numbers – 1.2 billion credentials is staggering – the story is the same one we’ve been hearing for years.  Usernames and passwords are being stolen at an ever increasing rate, and our money is being stolen.

Unfortunately, for most major retailers, the incentive to act as an Internet Security change agent isn’t very high. While the losses might appear to be dramatic to most consumers – in excess of tens of millions of dollars in most recent instances – the reality is these losses tend to be well inside the retailers’ price of doing business.

So if the hacked companies aren’t losing money – what’s the problem here?  Why are we geeks so enamored with these stories, and why is the tech press all over them?  Why is password theft such a big deal?

Here’s why:  The hackers aren’t attacking big corporations.  They are attacking you and me.   

Sure these major retailers are all in the headlines. Those are the places that the hackers initially focus on, because they are the source of lots of data about people. Credit card data is one thing that everyone is afraid of, but that’s just a single route to our money. But our usernames and passwords are a much better, much bigger route to our money. 

…But our usernames and passwords are a much better, much bigger route to our money.

As technology advances, and more and more of our services are available with an online component – even the average consumer has to handle the reality of multiple usernames and passwords.  Your bank, your credit cards, your mortgage and college loan provider – they all have access to your money.  And they all have lots of high-tech protections in place to try to block UNAUTHORIZED access to your account.

But what about AUTHORIZED access?  If you need access to pay a bill, you get access right away.  Because you can prove that you’re authorized to do so.  And how do you do that?  With a username and a password.  All that stands between a hacker and all your money is the ability to impersonate you.

When banks had tellers, and vaults, and business hours, and local customers, impersonating customers was nearly impossible.  You had to look like me, sound like me, sign like me, and know my account numbers before you could get my money.  Not bad for 19th century security, right?  Gaining AUTHORIZED access was hard, and gaining unauthorized access was even harder.  You needed shovels, and dynamite, or some kind of threat to the teller…it was a big risk to try.

Fast forward 200 years, and unauthorized access is far harder, but AUTHORIZED access?  You just need a username and password.  That’s easy, and that’s what hackers know.

And since we humans are not good at remembering lots of different passwords, we tend to choose one or two, and stick with them.  So we make it even easier for the bad guys to impersonate us to gain authorized access.

Imagine it this way:  What if the key to your front door was also the key to your car, and your post office box, and your shed, and your garage, and your storage locker, and your office, and your parents’ house, and your kid’s college dorm room.  And then imagine that key, which unlocked every valuable part of your and your family’s life, had your name etched into it forever.  Would you make lots of copies of it, and leave them around?  I bet you wouldn’t…

Because whoever had that key would know your name, could easily look up your address and could unlock your house right away.  They’d find all your valuables, but also they’d find bills for your storage locker, including its address.  And mail from your parents with their address.   And a bill from college with your kid’s address.  So they’d steal from them too.  And they would find more addresses and more keys, and on and on they’d go.

Then they’d get in your car, and find your registration papers, and they’d look in your navigation to see what recent places you have visited, so they could try your key there as well.

This is exactly what is happening with hackers compromising usernames and passwords.  They have the key to all your locks.

Now, if this is how keys really worked, I bet you’d protect your keys more closely.  And I bet you’d be loath to trade the convenience of a single master key to everything, for the risk of losing it all.  You’d probably even be angry that lock makers would be lazy enough to allow security to work that way, and you’d start demanding a better solution.

Well, we need to demand a better online security solution.  We need to eliminate usernames and passwords, and replace them with something that’s far more secure.  The technology exists.  Businesses know about it.  IT knows about it.  Now we need to demand that we all start using it.

What IS the answer?

Instead of passing credentials and matching them up, which is what got us into this mess, we need to prove our identity with things that are different every time – assertions or “tokens” that are encrypted and signed so they can’t be copied and exploited.  That requires a system of participating, trusted machines.

It’s a technical solution, with SAML, OAUTHm and other technologies at the forefront, but this is a technical problem.  We can’t expect that the same security principles that we used for our high school lockers will protect us against web-based attacks – yet that’s what passwords are.  Just another simple code that’s easy to steal, and easy to crack.

Until then, the big companies will keep getting hacked.  But you and I will be the ones that keep getting stolen from.