Kill The Password: Why A String Of Characters Cant Protect Us Anymore

[Lite Beer]

Kill the Password: Why a String of Characters Can’t Protect Us Anymore

BY MAT HONAN

“This summer, hackers destroyed my entire digital life in the span of an hour,” says Wired senior writer Mat Honan.

You have a secret that can ruin your life.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

The age of the password is over. We just haven’t realized it yet.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Continued: http://www.wired.com...ord-hacker/all/

--WIRED-- 2012-11-15

[newsfooter][/newsfooter]

[asiawatcher]

I must admit my Facebook account has been hacked twice for no apparent reason, my credit card was used in Japan after making an internet purchase in the US on an SSL encrypted site so I have no faith in password protected aspects even my banks. This really scares me but what are the alternatives?

[guzzi850m2]

Something like finger prints or eye scanning?

The pass word thing is really a pain in the ass, as the OP suggest easy to hack and nowadays many have min 5 different pass words for all kind of i-net access.

[topt]

LB thanks for that, very interesting and thought provoking article.

Also interesting that considering his background in technology the guy had no backup of any of his data especially all the photos of his young daughter - trusting too much in the cloud perhaps?

[PattayaPhom]

No Facebook, Twitter etc and use psudenems..you should be ok.....use DOB etc as password and you will get problems...its amazing how many use their tel no as a password

[Jayman]

Something like finger prints or eye scanning?

The pass word thing is really a pain in the ass, as the OP suggest easy to hack and nowadays many have min 5 different pass words for all kind of i-net access.

Yes but once someone hacks your finger print or retinal scan then how will you change it?

[PattayaPhom]

Something like finger prints or eye scanning?

The pass word thing is really a pain in the ass, as the OP suggest easy to hack and nowadays many have min 5 different pass words for all kind of i-net access.

Yes but once someone hacks your finger print or retinal scan then how will you change it?

Surgery

[Chicog]

My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked

That's just plain dumb, isn't it?

[MJCM]

I suspect the author hadn't enabled Google's two-step authentication.

Link:

http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744

[BlackPuddingBertha]

This summer, hackers destroyed my entire digital life in the span of an hour. ........ And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

More fool you for buying crappy Apple products and using an Apple account. This would not have been possible if you used Windows or Linux. Learn from your expensive lesson.

Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

Good grief. Not content with using crappy Apple products you also use the world's crappiest ISP. There is no hope for you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

And to cap it all off you have the world's crappiest bank. What a loser you are!

My bank will never provide any online or phone-based password reset, under any circumstances. My passwords (yes, there are two of them) can only be reset by post (two letters sent on two different days) or in person at a branch with photo ID in hand.

Still, I suppose it does all make for content in a magazine article, even if it is total <deleted>.

[Chicog]

They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious.

Makes you wonder what planet these retards inhabit. It's clearly not Earth.