Earlier this year, we wrote about Wired reporter Mat Honan, who got hacked in dramatic fashion. Using security loopholes in Amazon, Apple, Google and Twitter, a 19-year-old hacker was able to gather enough information to remotely wipe Mat Honan’s iPhone, iPad and MacBook clean – including his only pictures of his baby’s first year of life.
His story about the incident alarmed individual computer users everywhere and sparked important policy changes. And in a recent cover story for Wired, Honan details a different attack launched by hackers against New York Times technology columnist David Pogue, in which they reset his password by breaching his “security questions.” To reset a login, users supply answers that only they should know. But as Honan describes, Pogue had picked answers to his questions – “What is your favorite model of car?” and “What was your first car?” – that he had written about in articles. For the third question, “Where were you on January 1, 2000?”, David Pogue, “like the rest of the world, was at a ‘party.’” And with that, hackers locked him out of his iMac.
But the problem now, Honan says, is that while years of online experience have trained us to believe that strengthening passwords is the answer, now, “No matter how complex, no matter how unique, your passwords can no longer protect you.”
“In the age of the algorithm,” he writes, cracking a long password with brute force computation takes just a few million extra cycles. “That’s not even counting the new techniques that simply steal our passwords or bypass them entirely.” The techniques: guessing, lifting from a password dump, forcing it open, stealing with a keylogger or resetting by conning a company’s customer support department.
The problem with one recent New York Times story – “How to Devise Passwords That Drive Hackers Away” – Honan writes, is that it “tries to prop up the unsustainable heart of our moldering security system” by putting the onus for security on the customer. The only solution, he maintains, “is to kill the password entirely.”
According to Honan, new security measures should take Google’s two-factor authentication and push it further. Each vital account will need to cue many pieces of information, he says. It may include passwords, but could also include biometrics and a host of other steps. Until then, he says, individual users should insist that, in fact, the responsibility for security lies with the important services they use.
Until there are better ways of protecting your online life, though, you can at least make it a bit tougher for the hackers by not doing the following: reusing passwords, using a dictionary word as a password, using standard number substitutions (these are built in to cracking tools now), or using a short password. And by all means, he advises, enable two-factor identification, don’t answer security questions honestly, and use a unique, secure email for password recoveries.
What’s the next step in online security? Do you believe that passwords are becoming a thing of the past? Share your thoughts.