High on the White House’s hit list: The series of letters, numbers and symbols you type in when you access everything from your bank account to your Netflix list.
"Kill the password dead as a primary security measure," urged Michael Daniel, the president’s cybersecurity coordinator, at the International Conference on Cyber Engagement, held last week at Georgetown University in Washington, D.C. As more and more devices connect to the Internet, we need to develop new ways of confirming our identities, he said.
Technologists wonder, though, whether using fingerprints, faces or devices to log in would help or hurt the cause of data security and privacy. Businesses, meanwhile, have mostly taken a pass on investments that would allow them to move beyond the password.
“I would love to kill the password dead, but I don’t know what we can replace it with that would be viable now,” said Lorrie Faith Cranor, director of Carnegie Mellon University's CyLab Usable Privacy and Security Laboratory, which has studied passwords (see sidebar).
Hackers send “phishing” emails or make phone calls to fool people into giving up their passwords, or use sophisticated software to flood systems with educated guesses.
According to last year's federal indictment of five members of China's People's Liberation Army, that country's cyberespionage Unit 61398 "stole the usernames and passwords for at least 7,000 employees" of Allegheny Technologies Inc., "allowing them to monitor activity on those systems and to steal ATI's information in the future."
“The beauty of the password hack is, it’s not elegant,” said David Kane, CEO of Ethical Intruder, a Central North Side company that helps clients find vulnerabilities to hackers. “But if I get the password of the CEO, people will never know that I hacked into the system.”
Though the five Chinese hackers have not been arrested, the indictment handed down by U.S. Attorney David Hickton was heralded at the conference as an important warning shot. It hasn’t, however, awakened every corporate IT department to the vulnerability of password-protected networks.
“Unfortunately, I think companies are probably pretty far behind in actually making that big switch” from passwords to more advanced network security, Mr. Kane said.
Technologists all over the world are floating apps that unlock your phone only when they see your face, fingerprint readers and retina scanners that connect to PCs, and wearable devices that automatically fill in your passwords but lock your computer when you step away. All have weaknesses.
“People are wary of the fingerprint. They’re wary of the eyeball scan,” said Mr. Kane. “It already has been proven with biometrics that if somebody can lift your fingerprint” they can enter your print-protected accounts.
There’s no guarantee that a fingerprint, once digitized, stored on a device and transmitted, can’t be snatched by a hacker, said Jeramie Scott, national security counsel for the Electronic Privacy Information Center.
“Unlike a password, once a biometric is compromised, it can’t be changed. That’s it,” said Mr. Scott. “We don’t want to trade off one privacy issue for another.”
He also worried about the potential for “mission creep.” If we all use our faces to unlock our phones, for instance, what’s to keep corporations or the government from using that database and the growing network of cameras to track our movements?
A more privacy-friendly solution, he said, might be a combination of passwords and electronic devices to unlock accounts.
Some security-sensitive companies have equipped employees with key fob-style tokens that generate constantly changing passwords that control access to networks. That technology suffered a severe setback in 2011, when hackers broke into the tokens marketed by RSA, the security division of Massachusetts-based EMC Corp., and then penetrate Lockheed Martin's supposedly ironclad network.
At the conference, experts agreed that as everything from your car to your pacemaker goes online, the need for something, beyond the password, becomes critical. "In some ways, the window for doing this is already starting to close,” said Mr. Daniel, of the White House.
Unfortunately, said Ms. Cranor, we’re not yet ready to put to bed the likes of babygirl123. “We don’t have a perfect solution right now,” to replace the password, she said, “or any solution that’s even close to a perfect solution.”
Rich Lord: rlord@post-gazette.com or 412-263-1542. Twitter @richelord
First Published: May 4, 2015, 7:37 p.m.
