December 4, 2013

Why Your Password is Never Secure (and what to do about it)

Eric Griffin

Why your password is never secure

You have dozens (if not hundreds) of online accounts that have a password. While most people know ‘abc123’ is a terrible password, and the tech-saavy know to use XKCD’s method, what you should really know is that your password is weak, no matter how long and cryptic it is. Because all passwords are equally vulnerable to being stolen from the various places they live in the cloud, ‘abc123’ is no more secure than ‘correcthorsebatterystapler’. That is, until multi-factor authentication goes mainstream.

There have been books written about password selection, which is fine in the unlikely scenario your neighbor is trying to hack your Facebook account to change your profile pic to an embarrassing shot of you getting your mail in a robe. In reality, however, hackers aren’t targeting YOU. Their efforts of trying to guess your banking password just isn’t worth it, when they could spend their time hacking Adobe, Twitter, Yahoo (all of which were hacked in in the past year) or any other site storing hundreds of millions of passwords in one convenient place. Beyond breaking in to these companies, security loopholes (remember the Apple ID fiasco?) will always exist, allowing anyone who wants to hack you sidestep your super-secure password in seconds.

All of these insecurities are the result of your password being completely independent of you, the person. If you give your password to a friend halfway around the world, they can log in as you. However if your password was attached to you, and unusable if you were not around, hackers could steal your password all they want. You could go around giving your password to everyone you meet (remember this guy?) – it wouldn’t make a difference, if you had to physically verify the login attempt is valid every time someone logged in. None of this is new news (multi-factor authentication has been around since the 70’s), but what’s shocking is we still have not widely-accepted a standard or mainstreamed the use of it. With the amount of data locked behind doors to which our password is the key, and the inevitable future of storing our entire lives online, how can you ever make sure your data is safe?

The solution is simple: use your cell phone to verify you are near the computer you’re trying to log in on, or to verify you approve of the login. There’s a lot of ways this can be accomplished (many of which are already in use):

1. Bluetooth: As of 2010, Bluetooth is present in 100% of smartphones being sold and can easily be used to detect your proximity to a computer or other Bluetooth device.

2. GPS: 74% of adults have a phone with GPS (source) which can be checked against the IP address of the device you’re logging in with.

3. Text message: 91% of adults have a cell phone (source). Sending a unique code to your phone, then making the user enter that code in order to log in, prevents anyone with your password from logging in without access to your text messages.

4. Sound waves: Newly-demonstrated software by SlickLogin uses human-inaudible audio waves between the computer and cell phone to verify you are nearby.

5. Fingerprint/facial/iris recognition: Asking you to scan your fingerprint, face or eye after entering your password. Nearly every phone has a camera. And I bet you have a finger, eye or face…

The list goes on and on, and the options are available right now. The issue is awareness. Too many people think a 42-character password is what it takes to be hack-proof.

Do you use a multi-factor? If so, tell us which one and why in the comments!

Join in on #MobileOutfitters

Follow @mobileoutfitters on Instagram to see what we are up to and tag your own #mobileoutfitters adventures.