Alerts are raised about passwords used for protecting online accounts. However, we know that problems are sometime brought to the scene and overrated by those having a solution to sell. Is this the case here, or is it legitimate? In this post, I discuss what’s wrong with passwords.

There’s barely a week where we don’t read about someone’s online accounts being hacked, or a breach at a major website, credit card processor, or company, where user passwords leak. Unlike when a jewelry is robbed, it is usually unclear how such attacks are possible, and what the benefits are for those perpetrating them, but the fact that they hit well-known businesses or persons is enough to bring them to the headlines.

Gangsters don’t target empty wagons

Exceptions exist, everyone hacking a website is not a gangster. A researcher recently impersonated Larry in an email to Sergei (and vice versa) to bring to his attention the use of  too short encryption keys in gmail. Another one posted a comment on Mark’s wall to report a bug with Facebook. Apple TouchID biometric sensor was “hacked” within a week of iPhone 5S release by a hacker who proudly explained his technique (though not to Tim directly). Companies like Microsoft and Google frequently organize challenges where they pay hackers to report vulnerabilities in software. Today, hacking a system allows to show how smart you are, or how much you care for everyone’s safety. If you’re not a gangster.

However, most attacks are not mere games. If we leave aside cyberwar that’s not our topic, attacks are performed in the search for money. Real money? Well, yes. Gangsters look for high benefits and low risks, both if possible. Online seems a good place for this, because transfers and payments are made online nowadays, and because unlike in the real world, you don’t need to break a safe or to put your life in danger or even to go somewhere, you only need to impersonate someone having money – an individual, a business.

How do you impersonate someone in a financial transaction? By getting access to his online accounts and/or to his credit card information. How do you get such access? By stealing passwords and/or by installing malwares on computers or smartphones, therefore accessing other online accounts or systems where such information is stored, etc. In one or several steps. No wagon is really empty for online gangsters. Besides, you no longer need to do all this yourself, you can buy it … online, of course!

What’s wrong with passwords?

Unlike the key of a safe, which is unique and which you hold in a secret place, your passwords are disseminated and stored in many places. In emails on your smartphone, in your mail client, with your online accounts in the service providers systems. How safe are these places? Well, technically, none of them is completely secure, the question is how much effort is needed for a hacker.

As for the information stored on your devices, it’s actually like your car or your house, you’re safe until someone pays attention and decides to break into them. Passwords stored with online accounts, however, are much more desirable, because they are numerous. Large service providers hold millions of user passwords and their systems get hacked either because there is a direct benefit, or because it gives access to other systems, step by step.

You would think that these systems are protected. Yes they are. But protections are bypassed every day thanks to software vulnerabilities such as zero-day exploits and advanced persistent threats, resulting in passwords being stolen or exposed. No website can afford hardware-based protection of passwords by the way. You would think that these passwords are encrypted or hashed or salted. Yes they are, but encryption keys and salts are exposed too. And precomputed tables such as rainbow tables exist that completely bypass protection for unsalted simple passwords.

So where or when is the limit?

If you use the same passwords in different websites, that one of these sites has not implemented a state-of-the-art password protection – and you can assume that most of them have not -, and that one of the websites gives a way to impersonate you – be it by posting on a social network, by writing an email, or by requesting a transaction -, then, well, you have already crossed the border beyond where you are at risk.

As I gave up maintaining a password list more than 15 years ago, I most certainly crossed this border, as you probably did. I stick to basic rules – never open an executable attachment, never click on a link in an email to an unverified domain whatever the originating email address, avoid visiting grey sites, never talk to a stranger…

So far so good, but I am, we are, increasingly relying on online in every areas of our life. And beyond the fact that they don’t seriously protect my digital life, passwords drive me crazy.

Online authentication needs to be fixed for good.