warning

Hacking Passwords

Here's a New York Times article about passwords.

The task of maintaining passwords can be a real bear. Every mom and pop website seems to require a user name and password. Ever since I forgot a root password 6 months ago (requiring me to reinstall the OS), I vowed more diligence about the matter. I kept a notebook of passwords (something that probably is not a good idea), and added to it periodically only to find that I was adding nearly a hundred passwords. The problem is that not only do you need to remember passwords, you also need to remember the user name you used as well as the email address. (When you forget passwords, they often ask you to submit an email address). I also send secure emails to myself using hushmail with the actual passwords.

I am pretty good at making strong passwords, although I have started using punctuation only recently for them. The article above mentions that people who use symbols typically use only @, & and the $, and shockingly that is true for me as well. I use a standard password for all my newsgroups and bulletin boards, another one for transactions, another for root accounts and an absolutely uncrackable one for my hardware router. One of my secrets is incorporating strange phrases of Albanian origin-surely no password cracker has dictionaries for that yet.

I am most frightened by the non-secure login screen for my yahoo accounts. I can login to email securely, but yahoo messenger does not have secure login. It seems that a person might be able to intercept a yahoo messenger login and then use it to access my free email accounts through non-secure login. (Note written a month later: Well, yahoo has secure login after all. They also have a free service, zixmail for encrypting the messages as well as the login. The question then becomes whether people can remember to use these features).

Why is this important? By accessing my web-based emails, crackers gain the ability to change passwords to other accounts and to learn about other accounts a user may have. Because ecommerce companies send new passwords/hints to your email, that gives a person with access to an insecure email account the ability to change ecommerce passwords and even to make purchases. This is a big gaping security hole in ecommerce. The only solution(as I see it) is for ecommerce companies to require the customer to rekey the credit card for each purchase. Ecommerce companies have resisted doing that, but as more people use free web-based accounts, the dangers of insecure email accounts should force such a change.

What is the solution for the end user? First, you should separate the accounts you use for ecommerce and those you use for personal use (be they email, chat or whatever). Be attentive about when your login session expires. Is it after 5 minutes or 8 hours? Obviously, when you login at a computer that is publicly accessible, you should make sure that a sensitive account is not logged on or that your computer locks up after a fairly short interval. These are fairly obvious suggestions, but breaches frequently occur when the user fails to do something he knows to be necessary.

Unless a better authentication system has arrived (and it's quite possible that MS's passport is that system), web authentication will slowly become more impossible to manage, both from the consumer end and the business end.

Although passport is being built with the most sophisticated cryptographic techniques, there are flaws associated with any global authentication system. First, the potential harm is enormous. If an account is compromised, then it jeopardizes the totality of an individual's personal information and even identifying biographical information like a social security number. Second, the SSL certificate system requires vigilance on the part of web surfers. Sure, maybe the browser can catch a bad certificate, but won't the user just click OK and go on? Third, a centralized sign on screen has inherent risks. Either authentication needs to constantly require revalidation with every transaction (thus multiplying the risk), or it will allow unfettered access after an initial login (thus increasing the potential harm that an evildoer can do without being caught).

One solution might be an authentication using zero-knowledge protocol, a system where it is not necessary for client and server to exchange sensitive information. With ZKP, the prover is not revealing the secret, but one of many secrets. The prover would need to demonstrate the ability to solve a puzzle or problem without necessarily having to reveal the nature of the problem itself or the solution. Sounds great, but ZKP hasn't been used very much, so it is still an untried method

Interestingly xml has emerged as a way of defining security authentication procedures and exchanging security keys. The xml dialect SAML "Security Assertion Markup Language" allows web services to authenticate according to an open standard, rather than a closed standard like Passport. That might be better in the long run; it might mean more eyeballs scrutinizing the web service architecture; it also might mean a greater diversity of third party vendors able to provide authentication.