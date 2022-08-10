Streaming issues? Report here
Big tech is working on our issue with passwords - they plan to get rid of them

10 August 2022 7:15 PM
by Colin Cullis
Tags:
Digital technology
BusinessUnusual

No one will miss passwords, but it does not mean no more work to stay secure.

The Netflix documentary The Most Hated Man on the Internet highlights the willingness of some to do anything to make some money and how vulnerable we are to those who are intent at getting access to our accounts. In this case to post naked pictures without permission on a website to get visits and money for ad impressions

Copyright law could allow you to have the images removed but was a civil lawsuit for personal images at the time, thankfully that has now been changed and there are harsh penalties for publishing this content which is generally referred to as revenge porn.

In this case the criminal offence was hacking. It is incredible that the sentence was less than three years. It was a plea deal, which is likely why it was less harsh. Although given the seriousness of the offence and how long the site remained live (from 2010 to 2012) and that they knowingly targeted people for the purpose of finding naked images to post them publicly and include their personal information for ad revenue.

You might think that the risk is much lower now, that the penalties are much greater because there are more laws in place, which while not incorrect, is cold comfort should someone find out that they have been hacked and lost control of their accounts and its contents.

The hacks then much like now depend on phishing and our limited ability to understand the implications of getting hacked.

For comparison, consider having your credit card compromised. Odds are you will receive a notification from the bank quite quickly even if it is only to inform you of a transaction you did not make. You will likely get the transactions halted and not lose any money. But you will also not have access to the credit card and it will be a fair bit of unwanted effort to get a new one, in part to prevent someone intercepting the newly issued card.

Now consider how much more of an issue it will be if you are not able to access your online info which probably includes most of your photographic memories and possibly some that were never intended to be public.

Bottom line, it really is worth your while to keep your accounts safe. For the most part that means we need to have good passwords

A short history

The idea of proving you can enter somewhere by proving you are who you say you are or that you have permission is thousands of years old, but the need for a digital password began in the 60s.

Your username and password would allow the service to establish which account to give you access to and to have you prove you are entitled to do so.

The passwords would be stored by the service. If that list was accessed by someone else without permission everyone would be compromised. Services being hacked is still an issue. A useful website will let you know if you have been “owned” with the odd spelling of Have I been pwned (pwn comes from gaming to describe someone who was defeated and now for those that have had they account access compromised) will most likely let you know that most if not all of your emails have been included in breaches in the past.

Thankfully those are becoming less of a risk given the size of the breaches and the very low price to acquire a copy.

Phishing is the main threat

The real concern has been the rise of phishing which allows hackers to choose who they would like to attack or to effectively screen those who are unlikely to get scammed from being caught up in their net.

Given that there is a form of targeting, the damage is likely going to be greater and usually involves fraud or blackmail to get you to pay. You may have your access blocked and data encrypted by ransomware or slowly drained of cash by someone using emotion or the promise of more money later. The blackmail option will typically relate to threatening to share embarrassing info publicly. The impact from all is significant, the threat that your very personal details will be shared publicly can be worse.

A side note may be that as a consequence of this type of shaming is so much more popular now, that in time the impact from it will be less. It will still no doubt be embarrassing, but the long term impact may not affect you as much as it did in the past.

Big tech knows you are bad with passwords

The first solution offered and remains very important if you have lots of accounts, is a password manager. Most browsers offer to store your passwords securely and more importantly will generate strong passwords. Phone manufacturers offer it as part of the service. Stand alone services allow you to use them on your computer or your phone and the business versions allow you to share access to staff without sharing the passwords.

For those that don’t use password managers, we have moved to needing a secondary confirmation via email or sms. Unfortunately, that too can be intercepted and does not completely solve the problem.

It does mark the start of what multi-factor authentication can become. You probably have come across the term 2FA or MFA which refers to using more than a username and a password, but are looking to make that additional piece of information something that can’t be copied.

The next evolution uses an authenticator service. It may be an app you download on your phone that generates codes that are only valid for a short period of time and so would be hard to share even if you wanted to. The info is not sent to the phone so it can be intercepted and is currently the most secure and easiest to get your head around.

FIDO keeps watch

The improvements are part of the Fast Identity Online (FIDO) movement which is using alternatives to passwords.

Another that is very popular is to use bio-metrics, typically your fingerprint or face to verify that it is you. Thankfully we don’t need to worry about forgetting either although they also have some drawbacks with the elderly losing the clarity on fingerprints and face scanners still being expensive on low budget devices.

Microsoft and others make life a bit easier when logging onto your computer by requesting a code that will only work on accessing that computer but not the account. Should you try to access the machine or the account from elsewhere you will need the full password.

The solution that may slow down hackers and scammers while not slowing us down as much will use zero knowledge proofs and specialist hardware that not only proves who you are but can prove where you are too.

As counter intuitive as zero knowledge proof may sound, the very powerful mathematical equations allow for two parties to prove something without saying what that thing is.

Wired’s series to explain hard to grasp concepts at various levels will help here. Consider I told you I knew the combination to a letterbox, but that I can’t share the number with you or show what you want is in the letterbox. I could ask you write a message that I had not seen and insert it in the letterbox, if I did know the combination I could open the box and share your message back to you. This was the level of complexity that a teen would understand in the video, anything about that may prove tricky to most. You can watch the full video below.

Finding options to make use of this technique would allow both groups to exchange information to verify someone’s credentials without needing to share anything other than public information. It is relied on for many blockchain operations.

The physical device uses a similar function but does not even allow the user to see what is being exchanged so there is effectively no chance for interception or sharing the authentication.

At the moment they are small devices that are either inserted into the device you are using or with NFC so you need only bring it close to the device.

Yubikey and Google are two makers of the devices. Google issued them to all their staff in 2018 and found that while other efforts had reduced the success general and targeted phishing attacks, the devices reduced it to zero.

If you or those at your business is a likely phishing target of great value which is then called whaling or spear fishing then making use of these devices should be standard.

If your PC or phone was stolen and it used the physical key, there would be no option for someone that needed the key to access the device without it.

Losing the key would be a problem and the makers suggest you keep a spare to quickly deactivate the lost or stolen one while still maintaining access and also suggest using a smart tag with it so you can easily find it. In time, the security and tracking part will be combined into one device.

It might not help if you needed the key to unlock your phone to find where the tag is, but at least you being locked out of your account will now be something you are exclusively responsible for and not those trying to access your accounts


This article first appeared on 702 : Big tech is working on our issue with passwords - they plan to get rid of them




