Bruce Schneier says that security is both a feeling and a reality.
He also said, if you have nothing to hide, then you have nothing to fear.
I've been thinking a lot lately about all the stuff that I have online, and what would happen if it got lost. Back in the old days, when you opened a bank account, they gave you a little banking book, and you had an account number, which, incidentally, everyone knew. But nobody could take your money out of your account since you had to physically go to the bank, with your bank book, and access your account.
And even when ATM's started getting popular, you had to show up at the ATM, with your ATM card, and key in your four-digit PIN, which only you (and possibly your spouse and kids), knew.
Now everything's online. Banks, emails, shopping, contracts, rental agreements, calendars, schedules, medical records, vehicle licenses, identification documents, social security data, divorce and separation agreements, court decisions and so on. Some of this stuff is personal and private and nobody other than yourself should have access to it. Other stuff is public and everyone's reading it.
IN THE BEGINNING
There were few accounts, and possibly one password. That password was used to get to your email and your social media account. It was the same password.
Incidentally, the same password used to login to your computer at work.
Then banks started doing all their transactions online, and you used your same email password for your bank account. This was before the time when the username was your email address. Back then, your username was a cryptic bank number.
And slowly as some government services (such as the tax departments, or driver's licenses) started to come online, someone told you not to use the same password. So you put 123 at the end of it, that was different enough.
What was the worst that could have happened? Well, someone could have broken into your email and read all your correspondence, illicit or otherwise. This could have been embarrassing and you may have lost a few friends in the process, but the financial risk (which is how we value the risk) would have been minimal in most cases. But the banking breach would have been different. The thief would have stolen all your hard earned money so that needed to be protected with much more care.
EIGHT CHARACTERS, UPPER, LOWER WITH NUMBERS
We have come a long way and we've been taught about password complexity. Our IT departments keep telling us that we need to have complex passwords that are hard to crack, but are memorable. And so, something like this, Pa$$w3rd5, is acceptable, and if we can imagine that the $ is an S, the 3 is an E and the 5 looks also like an S, we may be able to remember it as Passwords, with a few modifications.
But even that's not enough. There was a study sometime ago that revealed that an eight-digit password could be hacked in less than a day by a diligent hacker. So the length of the password is important. Of course, if you have a mix of different symbols, it gets harder to crack, but still eight digits is not enough.
So we were told to move up to eleven, and that is better.
To make matters worse, websites began to demand complexity in the passwords you chose. Some institutions (namely the banks) started insisting that you change your password every thirty or so days. And once again, we were back to square one - take the same old password and append a number to the end of it. This month, it's Super.$3cret1, next month it's Super.$3cret2, then Super.$3cret3. And even if you forget it while you're online, you can just keep rotating the numbers till you get it right. Most people didn't even bother, they wrote it nicely on a post-it note and stuck it behind the monitor. Some of the more conscientious of us put that piece of paper in our wallets. Like that would help.
PASSPHRASES
And them someone figured out that the real issue, in getting good complexity, was actually the length of the password. The longer the password, then the harder, much, much harder it was for it to be cracked. So now we had passphrases like: iamthegodofmykingdom. And if you add spaces, way easier to type.
Still we were plagued with the fact that nearly every service we need is online. Even if we don't care about the content of our social media, we care that we don't want someone else masquerading as us. And so we would need different passphrases for each of the hundred accounts we have online. It's super important now to do this because we don't know how the websites are storing our passwords.
In many cases, much less as time goes on, when you click on the "forgot password" link on a website, they will send you a link to your email account to a spot where you can reset your password. That was not always the case. In the past, they'd actually email you your password. Many sites still do this today. So if you've been using your banking password on those sites, perhaps it's time to head over there and change it.
MULTIFACTOR
And we're on the next phase of passwords, or no passwords. This is the first real attempt at becoming serious about security. Not allowing people to think of their own ways to access their accounts, but insisting that they continually prove that they are who they say they are.
That's what 2FA (two-factor authentication) is really trying to address. We think we know who you are, but can you please send me back a code I just sent to the phone number I know is yours and I also know you wouldn't even give your phone to your spouse. It's not that I don't believe you wouldn't give your password to your kids so that they can transfer their own pocket money from your bank, but we don't trust that your kids won't give it out (accidentally) to someone else. And that could get you into trouble.
All we're trying to do is protect you from yourself. So, again, tell me what that code is that I sent to your phone, and, oh, by the way, I also need another code that I've emailed to you.
Some websites have done away completely with the password. As long as you validate yourself with either your phone or your email address, they're willing to send you a code to one of these as a better alternative to having a password. In a way, it's better. It's stronger since someone would need to have access to your email in order to hack your accounts.
So you'd better make sure your email password is really tough. And that the unlock PIN on your phone is also good.
BIOMETRIC
The granddaddy of all super secure methods - if our security providers can get this working correctly. Apple seems to be doing a good job. Not only don't we trust that we can send you a code (because we all k now that Apple product owners are touch-feely types who will lend their kids and friends their Apple gadgets), but we need to see you, or touch you.
And that's where face recognition and touch ID's come in. I think the last frontier in identity management. As long as we cannot fool the cameras, or the fingerprint sensors, we have a shot at making something that can really work. In Kenya, where I live, this may be a tough sell since the government has copies, upon copies, of its citizen's fingerprints and retina scans. And I suspect they keep this stuff in a thumb drive, on a keyring that the employees regularly pass among each other and dump the data to personal folders on OneDrive.
And so we're back to Bruce Schneier who I think is a genius in his field. When asked by a reporter how to prevent a disaster like 9/11, replied that it was simple. Ground all the aircraft. Clearly it was not an option, but as long as we have people, we'll need a careful balance between being secure and having access.
SUMMARY
I remember, in my days as a manager for a technical team, and the various discussions around users and accounts. It wasn't only about accessing accounts, but also securing services. And that's where the problems lie. Because, honestly, security is a process, and a system. There's no such thing as a secure system, only one that hasn't yet been breached. And a continual evaluation, and re-evaluation, of services is the only way to mitigate, check and respond to threats.
Oh, and by the way, if you are a systems administrator for any service you provide, either to internal clients or whomever, please, I beg you, stop this nonsense of forcing password resets. If you know people, you'll know that you just made things worse.
No comments:
Post a Comment