"In June,
LinkedIn announced that 6.4 million passwords were leaked after an alleged hack
on its system.
In May, almost 59,000
Twitter username and passwords were posted online by a hacker…
Last month the usernames and passwords of members of the Institute of Electrical and Electronics Engineers (IEEE) were made available on its server for at least a month." (Connelly, 2012)
Last month the usernames and passwords of members of the Institute of Electrical and Electronics Engineers (IEEE) were made available on its server for at least a month." (Connelly, 2012)
Given these issues (which
are three of many more) where online security seems to have failed, engineers
as well as the general public are finding it apparent that a new form of the
traditional “password” must be put in use. Due to its uniqueness, biometric
authentication has been researched. Undoubtedly, implementing such a system
avoids the common error of “forgetting” a password, which consequently makes it
even easier for hackers to, indeed, hack.
In an NBC article written by
Bob Sullivan, Why your next ‘Passw0rd’
might not be a Password, he explains the dangers of the commonly found
“Forgot your password?” button. This option commonly puts the color of your
first car and the name of your pet - both, as described by Sullivan, easily
determined from Facebook - between your data and hackers.
Furthermore, even without
having to select the Forgot Password
option, hackers can easily guess passwords without additional aid. Aside from
the obvious access to passwords due to their leakage on many sites, as
described earlier in this article, hackers can determine passwords because computer
users commonly use “easy” ones. A recent study of debit card PINs shows that 1
of every 10 users pick “1234” as their password. Additionally, an analysis of
LinkedIn passwords found that the most common phrase found in its passwords was
“link”.
In which case, we can
consider a much more unique sort of “password” that does not allow for a
“Forgot Password?” button – not yet at least: biometric authentication.
However, while biometric authentication does allow for stronger security, it is
also very hard to sell the idea to users. In a recent article written by Claire
Connelly, Theft
of fingerprints easier than cutting off a finger, security experts warn, she argues the point that due to the ease of password
leakage as recently seen by LinkedIn and Twitter, we should by no means trust
such companies with information far more important than “link1234” or “My dog’s
name is Sammy”. She explains, ''A password I can change in five minutes,
but if there is a breach and someone does steal my biometric data, how do you
get a new retina?''
And at the point where a criminal does find one's DNA information from hacking a biometric authentication program, which is inevitable, wouldn't it later become more difficult for authorities to distinguish between the real you and the criminal using your DNA? In fact, if the purpose of using such features is that they are so distinctly unique to us, then how would it even be possible for an authority to determine this?
And at the point where a criminal does find one's DNA information from hacking a biometric authentication program, which is inevitable, wouldn't it later become more difficult for authorities to distinguish between the real you and the criminal using your DNA? In fact, if the purpose of using such features is that they are so distinctly unique to us, then how would it even be possible for an authority to determine this?
One alternative to biometrics that people are talking about is using something that you own. For instance, when I log in to my Google account, I have to open my phone and type in a number that's generated there; it's a one time password, so even if someone gets my regular Google password, they won't be able to log in as me.
ReplyDeleteYou bring up a really good alternative. An article released in 2011 from ItPro mentions the differences in two-factor authentication and biometric authentication. Although I do consider two-factor authentication to be a great idea, I agree with the author's point in that it still involves a physical device that can be lost or stolen. And since hacking is a criminal procedure, it isn't absurd to think that a hacker would consider stealing one's phone as long as it means gaining his/her personal data.
DeleteI certainly think that passwords nowadays are so overlooked in terms of its security; but its ubiquity makes it hard to for dramatic changes in security. Using biometrics such as fingerprints or even DNA can offer more security, but it probably would be hard to change all password systems to read biometric information. Perhaps implementing biometrics where they are needed more, such as ATM machines, could be more helpful for securing data where it really needs to be secure. I recently saw a video on the news for tech about a new password system that utilizes keystroke recognition in combination with your password. What it this new password system does is not only read what you typed in, but reads how you typed it in (for example, how long it took you type it, where you "pause" when typing, and other factors). The system learns the way you commonly type in your password and creates a particular pattern that is combined with the password itself. Password and security technology, especially biometrics is not a new field but I think that it should be more widely used.
ReplyDeleteThe ubiquity of password-security may make biometric authentication laborious, but that never seemed to be a reason to avoid a possible solution. It is not one biometric authentication company's duty to go to each business and change security systems throughout all companies of the world. Rather, each company should individually see the need for this and seek their own solution (through many biometric authentication companies). To show the effectiveness of doing so, my next post describes a bank in Palestine and Jordan that changed its entire security system to iris scanning. I can't argue whether or not it was "easy" to implement the system, and I'll look more into those details, but it is apparent that the system was and still is successful.
DeleteWell, Ariela, I believe you bring up a fundamental flaw in the design of the internet: that is the question of authentication.
ReplyDeleteThe password system is inherently inefficient once you try to scale. It worked when you only needed to remember the password to your hotmail account; but now when you have to remember everything from your facebook, to your email, to your fake email, and whatnot, you start to wonder where the utility of passwords is overtaken by their lack of convenience. For example, there is a software company called Last Pass which is literally an app that you log into with your master password, and input all your passwords for all the different things you do into Last Pass. So it is setup in such a way that from then on you only need to remember your master password, and last pass will input all your passwords in for the different websites. This allows you to use multiple passwords for different things, so if one get's compromised, all of them don't.
And Last Pass is now massive, a blatant tesetament to the fact that the password systems need to be retooled completely. I would argue that your emphasis on the biometrics of passwords play a integral role in the huge picture of how do I maintain an unique identity on the internet that only allows me to access certain things.
Very interesting post. It raises the issue of the need to analyze the nature of the attack threats. It seems that a fingerprint is something that only you have, but of course the finger itself isn't sent to the server for authentication. Some pattern of bits is sent from the reader, and of course that pattern of bits is just as subject to interception (a piece of malware in your machine, or in the net) or theft (breaking into the authentication servers) as any other kind of password. So the seeming extra security has to be understood in terms of the larger system. Definitely thought provoking.
ReplyDelete--t