In the sad world of passwords, we're engrossed in the wrong movie

In the sad world of passwords, we're engrossed in the wrong movie

Summary: Another password and data breach. Another mad scramble of questions and Band-Aids. It's not password configuration, policies or anything else, it's the infrastructure that needs an overhaul.

TOPICS: Security

I've wanted to write something about the LinkedIn breach, but under a news lens what is actually new?

I have a dozen or more stories in my doc folder telling the same sad tale. Zappos, Gawker, Sony, Apple, Fox, CBS, Warner Bros., etc. etc. I guess I could just search and replace the names with LinkedIn, eHarmony or and change the number of compromised accounts.

Company X loses millions of passwords and personal data to Hackers Y. Company X says change all your passwords. End-users Z ignore or dutifully update and repeat a new password on all their sites. Law enforcement investigates but goes for donuts when the short Internet attention span sees another shiny object to fawn over.

Hackers Y pop up again six months later with phishing scams, or worse yet, attacks on business accounts using a combination of your stolen name, password, and the last four digits of your credit card number.

It's not the passwords, folks. The infrastructure is broken. What's that phrase about insanity and trying the same thing over and over?

We hang our cleverly crafted (not!) passwords all over the Internet, trusting virtual entities offering 10% off our next purchase and a promise our data won't be shared willingly - but without mentioning the sieve that is their circa 1980s security defenses.

Is there a fix? Right now, no. Is there something in the works? Yes. Will it solve (or drastically minimize) the threat? Time will tell.

Read the National Strategy for Trusted Identities in CyberSpace (NSTIC) proposal, look at what Google is doing with public domain interfaces and back-end verified attribute exchanges. Facebook may be fork lifting personal data into the advertising industry but they are doing OK so far with passwords. Read about trust frameworks and personal data stores.

The very basic structure is to have a trusted identity provider (IdP) that vouches for you when other sites -known as relying parties - go looking for your authentication credentials. Nearly every site gets out of the password game - LinkedIn, eHarmony,, etc. etc. and the number of IdPs shrinks to four or five major sites.

Yes, there is a single point of failure argument, but liability contracts are the incentives IdPs have to protect your data. Protecting your identity will be their core competency as opposed to holiday cheese balls and wrapping paper.

Or we can continue to stuff our passwords in mattresses all over cyberspace and hope theft and account hacking only happens to the other guys. What was it, 5% of LinkedIn accounts compromised; odds are pretty good it wasn't you (but it was me this time).

I'm not professing all this infrastructure work is the cavalry coming together to save the day, but how many times can we get kicked in the cyber groin before we want to test the merit of some other protection? If it is proven not to work, let's move on to the next set of ideas.

The way things are now, carnival games at country fairs pose a tougher test for hackers.

Look for web sites to begin marketing their beefed-up defenses and touting adoption of SHA-2 in the small type to the unwashed masses as an improvement over that puny SHA-1 LinkedIn so foolishly relied on.

Of course, 24 million Zappos users will know that SHA-2 didn't prove to be a paddle once they got up the password river.

Change. We need it. What do you think it should be?

See also:

Topic: Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Fingerprints

    Technology that allows you to log-in using a username (or email address) and then scan your fingerprint. Should be doable now or at least in the next few years
    • fingerprints?

      Then people will steal fingerprints instead of passwords, this will make it even less secure, because you cant change them. Why do you think they would be more secure??
  • End password authentication altogether

    Secure authentication will never occur using passwords. There is the whole Mark-of-the-Beast issue between any good alternative and the current mess. That's the real discussion and it needs to begin.
  • Americans and Identity Verification

    Americans have always been weary of absolute identification authority, and anything wide-reaching enough to be considered so. It's the main reason we don't have a mandatory federal ID aside from a Social Security Number, and a lot of people are clearly uncomfortable with even that much. The Internet really is like the wild west of the 21st century, where password breaches might be akin to some bandit riding into town and shooting out the saloon - most people in town will survive, depending on who was in the wrong place at the wrong time, and the perpetrator will eventually be caught and brought to justice, but unfortunately, by then the damage will already have been done. The point is, that most people seem to be okay with this risk if it means helping keep big brother out of their faces, or at least maintaining the illusion of doing so. Furthermore, it's a going to take a hyper-drastic event, in which many highly influential people potentially end up losing devastating amounts of money, perhaps in a way that completely overwhelms insurance capital, in a mega-breach before people even consider something like a centralized identity authority.
    • Problem is that such info still accessible by potentially corrupt people

      And typically, those with such access are paid too little for them to be beyond corruptable.
  • Irony

    Ha! Nice article. I was asked to submit a password to add this reply. By the way, fingerprints will just be converted to a digital password after they are scanned. That can be hacked as much as a made-up password. Your computer is still sending ones and zeros to the website.
  • Finger prints are less secure

    Why would anyone think fingerprints are more secure, they can steal those just like a password. Those too are stored in databases. You cant change a fingerprint like you can a password, once they have your fingerprint they can use it on all of your accounts, even 50 years into the future.
  • Okay so....

    Whereas I agree there should be some sort of "new technology" for better security, you do know that all that was collected was passwords right? There were no usernames that were stolen with the hashed passwords so what good are they? Ooooo...they have a password Without a username to go along with it, it's just data. Stop creating a panic where there isn't one.
  • Salt anyone?

    Why is it so hard for companies to salt their databases? I have always found it to be extremely lazy and incompetent for companies to not use easy methods to secure customer data. If the companies put even the slightest thought into security we wouldn't be reading these stories on a daily basis. Of course salting the data/passwords isn't 100% full proof either, but it makes using rainbow tables impossible if you set it up correctly. Today we would be looking at "dozens" of passwords cracked out of 6.5 million just on LinkedIn vs the "millions" of passwords that have already been shown to be cracked all because they used a simple hash instead of salting it and then hashing it.

    I saw LinkedIn stated they salted their database, but security experts have shown that to not be true or else the passwords would not have been cracked so quickly and easily.
  • Sure there is a solution

    Its called Lastpass.

    I just created a login for zdnet. In my toolbar I hit lastpass and hit "generate secure password" It instantly creates something insainely complex like wC%1*xJ$#HQHN.

    Lastpass remembers your password next time you hit the website and it types it in for you automagically.

    I trust lastpass with my passwords more than anyone else. It is their job. If they get compromised - they are certainly completely out of business with baaaaad marks on all their resumes.

    Finally, if someone (other than lastpass) gets compromised.... all they end up with is wC%1*xJ$#HQHN. A password unique to their website. Have fun with that one slackers! Try working for a living, like the rest of us.

    Lastpass is not the only one doing this... so we have competition too.

    Oh yeah... its free.
    • Free...

      "Oh yeah... its free. "

      If you don't pay for the product, you ARE the product.
      Or rather, your data is...
    • I prefer KeePass

      I prefer KeePass since it performs essentially the same function but remains local. You would need your computer itself compromised. It is also free.

      I also don't see why we can't keep our current model and just implement it properly. Use secure hashes (MD5 and SHA-1 are NOT secure) + salts, setup proper permissions on databases, etc. Security takes a lot of time, and its price is inconvenience, but its inconvenience is outweighed greatly if it fails and suddenly there's a huge security breach and your private information becomes public. THAT is inconvenient.
  • RE: Credit Card Details

    1 - Ban companies from storing credit card details (obviously banks would be an exception).
    2 - Introduce massive financial penalties for companies that flaunt the law.

    $1M/CC number stolen (or accessed without authorization) would get their attention.
  • "but IdPs will be incented to protect your data via liability contracts"

    I think you mean "liability contracts are the incentive for IdPs to protect your data".

    Anyway it won't work. Single point of failure isn't something that can just be brushed aside. It happens, and the failure modes (not rates) multiply exponentially, because they apply to multiple sites. Even intentional policy changes can really ruin your day. Every business's core competency is making money. What they do to make money is NOT their core competency, and it can all be switched out for another way to make money if they like. And the company (or government) who buys all that discarded data? Let's hope they have good intentions.

    This has been tried before (e.g. MS Passport). It always fails. It will always fail.

    As lehnerus2000 noted, massive legal penalties work, because they affect the only thing business understands -- the bottom line. I'd make the penalty for storing payment information proportional to the size of the offender (e.g. employees, revenue, etc.)
  • I agree

    That's one of the reasons why after I'd started designing a net-id service, I realized it could answer a lot of security concerns as well.
  • Passwords Aren't Dead!

    I wanted to state that passwords aren???t dead. Until every IdP is SUPER EASY to install and operate passwords and password synchronization will live long into the future. And yes, there will ALWAYS be the potential for a single point of failure. How do you protect against that...
    Jackson Shaw