Introduction

Today the proliferation of passwords has become a problem unto itself. Though passwords act as the first line of defense for protecting data, many people see passwords as the bane of their existence. It seems that every online action of significance requires that a new account be created, which means providing an email address and password for each of them. It doesn’t matter if you just want to view content, join a mailing list or even browse for real-estate, you still need a new password.

If we follow best practices around creating passwords and make them unique and complex, then we are liable to forget them, and at the worst possible moment. If we skirt the rules and make passwords simple and reusable, then we aid hackers and possibly compromise our money, data and identity. It’s not just individuals to blame for the growing number of breaches, hacked systems and identity thefts. Organizations looking to get to market sooner, reduce support costs, and lower abandonment rates take shortcuts vis-à-vis password practices. In 2014 alone, these shortcuts led to over one billion records being exposed in breaches, millions of accounts being compromised, and tens of thousands of Internet-connected devices being hacked.

When left to their own devices, organizations will seek the path of least resistance or highest revenue when it comes to investments in privacy and security. (50 percent of [] organizations were found to devote zero budget whatsoever towards mobile security.) Since individuals are left in the wake of these myopic decisions, we should be voicing our opinions more strongly about the need for comprehensive privacy legislation or enforceable self-regulatory principles that mitigate the risk to individuals while letting innovation flourish.

The Impact of Bad Password Practices on Personal Data

In the record number of breeches in 2014, a simple thing like the password was often the facilitator. According to a 2012 Verizon study, 90% of data breaches start off with weak or stolen passwords. Organizations and individuals collectively share in the blame when it comes to bad password practices. More needs to be done by all parties to mitigate the risks caused by password mismanagement.

The Sony Data Breach

During the Sony data breach thousands of passwords for files, computer systems and services were stolen. The passwords were stored in a directory labeled “Password”. The directory and all the files in it were unencrypted, showing that access control is not enough to protect sensitive data. The files should have had file encryption applied to protect their contents, disk encryption alone is not sufficient to protect data from a compromised system. What started as a compromise of one system led to many systems and services being compromised.

The LinkedIn Password Theft

In 2012 LinkedIn lost over 6 million passwords to Russian hackers. The passwords were stored using the SHA-1 hash function. Though the hash was not salted, one would still think the passwords were protected. Unfortunately, companies are still storing passwords in clear text, which provides no protection. Hashing is a good way to protect passwords; however, when so many people are using simple passwords, a database of millions of passwords created without a salted hash is easy to compromise. The CrackStation site explains how simple hashing can be easily circumvented and provides code for implementing salted password hashing.

The Internet Camera Hack

In 2014 73,000 Internet cameras across the globe, mounted in homes and business were hacked using the tool at ShodanHQ.com and their streams hosted on the website Insecam.com. The hacking was facilitated by the fact that the cameras used a well-known, default password and did not force the changing of the password during setup. The ShodanHQ.com site can be used to connect to and control many Internet devices including cameras, routers, VOIP phones and even power plants. Be sure you changed your device’s password.

The Apple iCloud Hack

The hack of the Apple iCloud service, which exposed sensitive photos from Jennifer Lawrence and other celebrities, was facilitated by the lack of a strong password policy or a limit on bad password attempts. Apple has since addressed the issue. Limiting bad password attempts is a no brainer, but enforcing a strong password policy is something that most services have been ignoring for a long time, except for banks. Many people may feel that their content is just as important as their money and requires identical protection.

Managing Multiple Passwords

For those that have to juggle dozens of passwords, tracking them can be a nightmare. A study by Experian found that on average users have 26 online accounts and used only five different passwords to manage them. LastPass users have 100 accounts on average. What is troubling about the many accounts that we use is that people continue to use simple passwords to protect their accounts. In their yearly study, SplashData found that the last four years in a row, the most common two passwords used by people are, “123456” and “password”. These were bad choices for passwords, but passwords don’t have to be complex to be safe. A recent Ted Talk by Professor Lorrie Faith Cranor of Carnegie Mellon University flips the traditional principles of password management on its head. Write them down, don’t change them and avoid complexity, she urges. I encourage anyone looking to simplify the creation of passwords to view the talk.

Two-Factor Authentication

Two-factor authentication (TFA) uses two things about you to authenticate your identity, which can be a combination of something you know, something you have, or something you are. ATMs are one of the earliest examples of two-factor authentication systems. They require an ATM card (something you have) and a PIN (something you know) to provide access to your account. TFA provides an extra measure of protection for your personal data. Some systems make it easy to use TFA by sending a code to your phone via email or text as a secondary means of identification. Google, Microsoft and Twitter each provide this type of TFA. Be aware that if you use your phone for logging into a service and it has been stolen then your accounts may still be vulnerable.

Biometric Passwords

Biometric passwords involve using one of your physical attributes (something you are) to identify yourself to a computer system. For example, your fingerprints, voice, eyes or face could be scanned to determine that it is indeed you that is attempting to access an application, device or service. However, if a biometric system is too sensitive it can fail to identify you due to small anomalies and be a major annoyance. If it is less sensitive then it can misidentify a person as you and expose your data to a hacker. If you are familiar with the gummy bear attack and high-resolution copier spoof, then you know that biometric systems can sometimes be easily compromised.

Microsoft Windows 10 offers biometric authentication, which uses a face, iris or fingerprint to identify the user of a device. This feature boasts a “1/100,000 false accept rate” for facial recognition.

Password Management Apps

One way to ensure that you are using strong passwords that you don’t have to remember is to use a password manager. Standalone password managers are better than using the built-in password tool in browsers, which could be vulnerable on multi-user systems. Browsers also may not have sync capabilities, which is invaluable for individuals with multiple devices. The apps 1Password, Blur, LastPass and SplashID all have great password management capabilities. Blur even includes dynamic email, credit card number and phone number management, as well as tracking prevention.

Password Alternatives

For those who are tired of dealing with passwords altogether, there are other means of access available:

• In Microsoft Windows 8 and beyond, at least for those with touch-screen systems, picture passwords can be used which accept three types of gestures on a picture for logging in.
• Yahoo has an on-demand password feature that sends each new password to your phone. Of course losing your phone will leave your accounts susceptible to hackers if it is not protected.
• USB keys can be used to authenticate to devices, apps and services via a USB port. Yubikey is an example of one that provides two-factor authentication via USB or NFC.
• Untethered Labs offers a product called Gatekeeper that can unlock all computers that are set up to use it when you are in proximity of the computers. That can come in handy if you have an office full of computers you work with on a daily basis. The computers also relock themselves when the Gatekeeper device goes out of range.
• Google offers a similar Smart Lock feature that can be used to unlock your Chromebook when your Android phone is nearby.

Conclusion

Improper password policies by organizations can lead to data breaches, device hacking and account hijacking. Some feel that consumers are savvy enough to recognize when products and services have bad security practices and that the market will correct itself. However, history is evidence to the contrary. Companies need more than a nudge or a hint to do the right thing.

Of course individuals have a responsibility to use proper passwords, either via best practices or through the use of a password manager. Still, companies should not make it easy for users of their products and services to use bad passwords. When you think about the billions of dollars and hours lost dealing with data breaches, identity theft and other password-related tragedies, is it too much to ask for a simple piece of legislation to address the harm that bad password practices have caused individuals and the industry? Use #PrivacyBillOfRights to express your opinion.