Every Password Has Been Stolen. Now What?

It’s time we stop pretending. Oh, I know it’s easier to sleep when we think that we’re safe and sound. We try to use only “trusted” apps and services. We choose who gets to keep our photos, our files, and our tax returns. We see the lock icon that indicates HTTPS, and we think we can buy shoes safely.

passwords on sticky notes small

But each of the services we choose, and labor over, and discuss, and investigate — they are all only as strong as the dumb password we put in front of them. Let’s just assume every password has been compromised. No account is safe. Given the high-profile breaches we’ve seen in the last couple years, that’s likely more true than we’d like to think.

So what’s next? What do we do now? Spoiler alert: We don’t rely on being smart or clever. Smart and clever don’t matter when attackers play upon our sense of trust. That makes us really vulnerable.

Another week, another breach

Last week, we all heard about the teenager who hacked the email of the Director of the CIA. If you are like me, you were… conflicted.

Now, clearly I am disgusted. This kid is a menace, right? And how can we rest easy knowing how easily we can all be hacked? How can we be so foolish? America is the home of the brave! Yet we are vulnerable to teenage hackers? ON OUR OWN SOIL? Let’s have a march!!

But also… I am a little proud. I know! Yuck! Proud?! It feels terrible to admit, but I am almost proud of the kid who did it. You know why? Because this kid made me totally disgusted! I don’t know what his intention was, but I do know one result: we are up in arms about security. He showed us that we can’t sit idly by and continue to think we have this all figured out. He showed is that we need to take action!

Let me see if I can explain.

Social engineering: new dog, old tricks

In this latest breach, a kid posed as a Verizon employee. He then called a legitimate Verizon employee, and tricked the employee into releasing sensitive customer data to him. The kid pretended to be an AOL customer (who just happened to also be the director of the CIA). He called AOL, pretended to be locked out of his account, used the compromised info to prove his identity, reset the password, and BOOM. He’s “hacked” into the private email of the Director of the CIA.

smartphone in hand

That’s con-artistry at its simplest, and it’s as old as humanity itself. The ability to prey upon people by disguising yourself as “someone trusted” is something we are all aware of. Heck, if memory serves, “wear a wig and fool everyone” was the central plot point of more than half of all sitcoms from 1978-1996. Or close to it.

Today we live in an age of cheap exploit kits, Advanced Persistent Threats, pass-the-hash, and countless other technological ways of breaking through the network security perimeter. But smart attackers, like our teenage friend here, know that it’s easier to just trick humans into giving away privileged information. Brute force a password? Nah. Takes too much compute horsepower, and can be traced unless you’re careful. But a make a couple quick phone calls from a grocery store phone? Easy!

Compromised passwords don’t have to matter

The kid here took a couple of steps, and made them work for him:

  • Trick Verizon
  • Trick AOL
  • Breach email account

But at the core of his plan were two key things: prey upon human trust, and change a single password.

The kid knew that all that stood between him and the private email of the Director of the CIA was a single password. So he figured out a way to reset that password, and he was in. All too easy.

If that password was coupled with multi-factor authentication, would the teenage scheme have worked? Not as easily that’s for sure. He’d have needed more than just a password. He’d need the right additional form of authentication. That’s not something you can call and trick someone out of. It might not be perfect, but it sure does make this attack way, way harder to pull off.

Kill passwords

Attackers aren’t stupid. We can’t afford to be either. Remember when I said we were as dumb as ever? Well, we are. We can’t remember crazy complex passwords. We can’t tell if we’re talking to a Verizon support rep, or an angry eighth-grader with too much rage and too little supervision. We just aren’t calibrated, as animals, to suss these kinds of things out.

So, again, let’s stop pretending. Let’s just imagine all passwords are stolen. Let’s then realize that passwords are dumb ways to protect our online selves. Let’s eliminate passwords with SAML. Let’s put MFA in front of everything, so that when a password is stolen, it doesn’t get the attacker easy access to our stuff.

Let’s learn the lessons these people are teaching, and use some new tools to these stop old threats. Because soon, we won’t have to imagine that all passwords have been stolen. They really will have been.