Heartbleed's lesson: Passwords must die

Summary:With the multitudes of accounts we have to deal with for email, social networking and other applications that require password authentication, we need a better solution.

The original version of this article was written in February of 2011. It has been updated with new content.

password-heartbleed-thumb

The Heartbleed bug in the Open Source OpenSSL library has brought renewed attention to the weaknesses of passwords, the mechanism that has been the foundation of computer security for at least 50 years.

I've been saying for a while that passwords and the entire way we approach computer security needs an overhaul. The piece you are reading now was originally written in 2011.

What prompted it? My usual morning commute. Here's what happened:

So this morning I did the usual. I woke up, got out of bed, I answered the call to nature, I popped a K-Cup in my Keurig brewer, and I shuffled downstairs to my home office and logged into my personal email account.

This is the first thing that I saw:

Needless to say, I was not amused. At all.

Now, I generally regard myself as extremely careful with my computer security. To the point of being extremely paranoid about it. I use "strong" passwords, mixed alphanumerics with non-alpha characters.

An example of this would be something like R1tch13R1c4386!

Not only that, but I don't use the same password on all my services. My Google password is unique.

Today, as modern computing users, we're inundated with passwords on all sorts on web and social networking sites. I use GMail, Google+ and all the Google Apps, such as Calendar, Analytics, Docs, et cetera. I use FaceBook. I use LinkedIn. I use Instagram. I use Twitter. I use Flickr.

And yeah, since this article was originally written, all of Microsoft's online services as well. And I'm also an Amazon junkie because I buy practically everything online.

I use two separate blogging accounts, and I have logins on a myriad of other websites and web-based applications, not to mention all the corporate intranet stuff I deal with on a daily basis.

The entire situation has gotten out of control. Keeping track of these requires spreadsheets and documents, stored in various places, because you can't possibly hope to remember them all and when they expire.

And then of course you need to have them reset all the time with your new temporaries sent into your email should you forget them.

So back to my GMail account. Someone had clearly compromised it, this despite the fact that I use strong passwords. 

My PCs aren't the only devices that talk to my Google account. At the time I had two Android phones, as well as an iPad. So the attack vector could have been from anywhere.

In the three years since I wrote the original version of this peice, I own even more devices, which includes a Mac, an iPhone, an iPad Air, a primary work Windows 8.1 laptop, two Windows Phones, a Microsoft Surface Pro, and a couple of Android tablets as well.

Oh yeah. An XBOX One, a Roku and an Apple TV. And I'm probably forgetting all the other Internet of Things stuff living on my wireless network too.

With all of the strong password precautions I took at the time, I still have no idea how that account was compromised.

I can only speculate: It could have been on a rogue Android or iOS app, it could have been a cross site authentication thing on FaceBook, or it could have been as something simple as a email or web-based phishing attack, although I tend to be pretty vigilant about obvious phishing emails which come across my desk on a daily basis now.

It could also have been a "Brute Force" attack, although with "Strong" passwords that becomes more difficult. I also won't rule out Google's servers being penetrated directly.

This all happened three years ago. Back when I originally wrote this, we didn't know what the NSA and presumably, other state-sponsored actors might have been capable of then, although many of us strongly suspected it.

The Heartbleed bug was introduced into the OpenSSL codebase in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. 

The point is, it doesn't matter. If someone like me can get compromised, so can anyone else, especially someone who isn't keeping track of their online accounts and behavior as much as I do.

Let's face it -- passwords suck. Once someone knows what they are, your security is in a world of poo. I would have used a much stronger term than "poo", but I'll let Private Pyle do this for me.

There is a better solution than passwords. That solution is Biometrics.

Topics: Security, Cloud, Collaboration, Mobility, Networking, Smartphones, Social Enterprise

About

Jason Perlow, Sr. Technology Editor at ZDNet is a technologist with over two decades of experience with integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.