Heartbleed's lesson: Passwords must die

Heartbleed's lesson: Passwords must die

Summary: With the multitudes of accounts we have to deal with for email, social networking and other applications that require password authentication, we need a better solution.

SHARE:

The original version of this article was written in February of 2011. It has been updated with new content.

password-heartbleed-thumb

The Heartbleed bug in the Open Source OpenSSL library has brought renewed attention to the weaknesses of passwords, the mechanism that has been the foundation of computer security for at least 50 years.

I've been saying for a while that passwords and the entire way we approach computer security needs an overhaul. The piece you are reading now was originally written in 2011.

What prompted it? My usual morning commute. Here's what happened:

So this morning I did the usual. I woke up, got out of bed, I answered the call to nature, I popped a K-Cup in my Keurig brewer, and I shuffled downstairs to my home office and logged into my personal email account.

This is the first thing that I saw:

Needless to say, I was not amused. At all.

Now, I generally regard myself as extremely careful with my computer security. To the point of being extremely paranoid about it. I use "strong" passwords, mixed alphanumerics with non-alpha characters.

An example of this would be something like R1tch13R1c4386!

Not only that, but I don't use the same password on all my services. My Google password is unique.

Today, as modern computing users, we're inundated with passwords on all sorts on web and social networking sites. I use GMail, Google+ and all the Google Apps, such as Calendar, Analytics, Docs, et cetera. I use FaceBook. I use LinkedIn. I use Instagram. I use Twitter. I use Flickr.

And yeah, since this article was originally written, all of Microsoft's online services as well. And I'm also an Amazon junkie because I buy practically everything online.

I use two separate blogging accounts, and I have logins on a myriad of other websites and web-based applications, not to mention all the corporate intranet stuff I deal with on a daily basis.

The entire situation has gotten out of control. Keeping track of these requires spreadsheets and documents, stored in various places, because you can't possibly hope to remember them all and when they expire.

And then of course you need to have them reset all the time with your new temporaries sent into your email should you forget them.

So back to my GMail account. Someone had clearly compromised it, this despite the fact that I use strong passwords. 

My PCs aren't the only devices that talk to my Google account. At the time I had two Android phones, as well as an iPad. So the attack vector could have been from anywhere.

In the three years since I wrote the original version of this peice, I own even more devices, which includes a Mac, an iPhone, an iPad Air, a primary work Windows 8.1 laptop, two Windows Phones, a Microsoft Surface Pro, and a couple of Android tablets as well.

Oh yeah. An XBOX One, a Roku and an Apple TV. And I'm probably forgetting all the other Internet of Things stuff living on my wireless network too.

With all of the strong password precautions I took at the time, I still have no idea how that account was compromised.

I can only speculate: It could have been on a rogue Android or iOS app, it could have been a cross site authentication thing on FaceBook, or it could have been as something simple as a email or web-based phishing attack, although I tend to be pretty vigilant about obvious phishing emails which come across my desk on a daily basis now.

It could also have been a "Brute Force" attack, although with "Strong" passwords that becomes more difficult. I also won't rule out Google's servers being penetrated directly.

This all happened three years ago. Back when I originally wrote this, we didn't know what the NSA and presumably, other state-sponsored actors might have been capable of then, although many of us strongly suspected it.

The Heartbleed bug was introduced into the OpenSSL codebase in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. 

The point is, it doesn't matter. If someone like me can get compromised, so can anyone else, especially someone who isn't keeping track of their online accounts and behavior as much as I do.

Let's face it -- passwords suck. Once someone knows what they are, your security is in a world of poo. I would have used a much stronger term than "poo", but I'll let Private Pyle do this for me.

There is a better solution than passwords. That solution is Biometrics.

Topics: Security, Cloud, Collaboration, Mobility, Networking, Smartphones, Social Enterprise

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

123 comments
Log in or register to join the discussion
  • That won't work

    Even your pc has finger-printer scanner, how about your phone? How about going to library pc and access your account?

    Some centralized authentication may be the answer. The problem is who. Can we let goverment handles our account. Microsoft tried this a couple years ago, but few trusted them. Now we have this dilemma.

    Right now I am using one small applicaton I wrote myself. All username & password saved in xml file and encrypted, clicking the url link will bring me directly into login page, so I don't need remeber url too.
    FADS_z
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @FADS_z
      Sounds similar to LastPass.
      Real World
      • Yep LastPass

        Totally nailed it @Real World
        Aaron Klap
      • Biometrics are not the answer!

        In a networked world, biometrics won't work. In a closed, offline system with hardware security, biometrics will work. However, when working over a network, the server generally authenticates, meaning that the data gathered from your fingerprint or retina scan is just another password used to verify a stored hash. Problem is, it's a password that can't be changed, so once your fingerprint is compromised, you're screwed.

        THE WORLD NEEDS TO STAY AWAY FROM BIOMETRICS!!!
        NitzMan
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @FADS_z <br>Take a look at the new Motorola Atrix (the rage at CES, coming March 6 on AT&T - an iPhone killer). It has a built in fingerprint scanner, and I can tell you that every major manufacturer of devices is looking at adding fingerprint scanners for simplified locking and unlocking the phone. Add the right web-authentication software to it, and you will be able to swipe your finger on your phone or your PC to be able to authenticate to web sites.<br><br>My company, BIO-key, has already begun porting our WEB-key secure web authentication platform client to the Atrix, and when complete in 60 days or so, you will be able to swipe to authenticate to one or more of the major online authentication service providers that are integrating this platform, There WILL be trusted, non-goverment players offering fingerprint authentication in the cloud, and the explosion of mobile devices will be the catalyst for uptake. Standing there pecking in strong passwords while your friends swipe to instantly authenticate in context for secure access to apps, mobile payments, DEA approved ePrescibing of controlled substances (yep, to their credit, the DEA specifically went back and revised their rule last summer to allow ePrescibers to choose a biometric subsystem like WEB-key to secure that process) and BIO-key is already integrated into Allscripts and Eclipsys, Sentillion, EPIC, McKesson, plus most of the commercial enterprise authentication platforms (IBM TAM ESSO, HID/ActivIdentity, Oracle OAM & Passlogix, CA eTrust SSO and Evidian, to name a few). You can also upgrade your laptop's "free" (ie bad) software algorithm to replace it with a better one.<br><br>Unfortunately, based on the misperceptions that are expressed in the comments, most people don't realize how big a difference there can be between old or inferior fingerprint systems they may have experiences with, and the state of the art in secure fingerprint authentication today. Tablets and smart phones have had false starts as well, if you recall the failure of the units 5-10 years ago to widely catch on. Did that mean the concept wasn't worthy? No, it meant that the implementation wasn't worthy. Fingerprint biometrics is the same way. Please keep an open mind to how this technology can help make sure that you are the only one who can access your privileges, and make it easier for you, as well. Everyone has the right to a secure identity, and that's what this industry is trying to help achieve.
      SecurityThroughObscurity
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @FADS_z
      A biometric doesn't have to be the only way into your secure accounts - just the most easy + secure way. You can still allow "plan B" access methods, such as smart questions, password plus SMS, etc, but use them only on the occasions that you don't have your fingerprint scanner available. The nice thing about fingerprint authentication is it's the rare case of the strongest authentication ("Who you are") being the easiest.

      I see several people raise the question of replay attacks and that you can't create more fingerprints for you if some are compromised. I addressed this below in another reply, but it's important enough simply say here that quality web fingeprint authentication platforms mitigate this threat by creating a secure tunnel protocol all the way to the scanners (even the cheap ones in phones and laptops offer this, and liveness detection to prevent the negative mythbuster exposure that some inferior scanners fell victim to).

      As for your fingerprints being of limited supply and vulnerable if compromised, this is a misconception about biometrics, which are different than passwords, which obviously must be kept secret. Intrinsic to biometrics is the idea that you don't have to keep the thing being measured - you - secret. You can show it to the world, but you are the only one who can meet the measuring standard at authentication time.

      The misperception is that the fingerprint is the credential, when actually, your finger is the credential. The system's job is to make sure that a real finger is on a real scanner when an authentication takes place. The fingerprint is just an artifact of your finger being scanned, and a quality web fingerprint authentication system will secure that pipeline so an imposter with a perfect image of your fingerprint cannot inject it into the system and claim to be you. The good thing about an all-software platform that is interoperable across all readers is that you can leverage today's enrollment with tomorrow's new scanners and devices that contain them, versus having to start over and re-enroll.

      Our customers who enrolled years ago can start identifying their users, customers, and patients over the web using the Motorola Atrix phone on Android OS with our upcoming WEB-key client for Android. Stay tuned!
      SecurityThroughObscurity
      • Real live finger would be preferable

        Fingers can be severed.
        John L. Ries
    • Biometrics will come, it is only a matter of time

      Apple's recent inclusion of a fingerprint activator is a primitive baby step, and since it is only single factor, easy to bust.

      But multifactor biometric authentication? Put enough measures in, and you have to be you (or your identical twin.) Someone might be able to mimic your prints... but not your prints, retina, and voice. And the sensors needed for this could be built into the existing camera and microphones are devices come with.

      In about 15 years, I suspect we'll see this displace passwords.
      Mac_PC_FenceSitter
      • Well ...

        At some point all of this identity information goes over the network as data. If someone ever manages to sniff it and replicate it. Its over. And its not like a password where you could just change it. I really believe that when biometrics appears it will get hacked and will create a real Orwellian mess.
        George Mitchell
        • Re:"identity information goes over the network" - not so

          That's not true of the iPhone 5S.

          On the iPhone 5S all biometric data is stored on a hardware encrypted area (called "Secure Enclave") of the A7 SoC and it never leaves there.
          Slurry
          • Yes, but...

            This applies to a completely offline system. The iPhones hardware manages the authentication for itself. When you have a server based system, the server needs to perform the authentication. Hence data is passed over the wire. Any data over the wire or residing on a remote server should be regarded as compromised.

            Passwords are still the best method of security. The problem is they're not complex enough and people can't remember them. So we have to solve the problem and not introduce a new problem. Biometrics is a problem within itself and something that should never be introduced into a networked system.

            You can change your password, but you can't change your finger or eyeball.
            NitzMan
      • biometrics do not solve passwords with regards to heartbleed

        what do all these biometric measures do in software?
        they just authenticate and then pass a "PASS" token to the server.
        the Token is the biometric equivalent of a password.
        so heartbleed just reveals the token instead of a password.
        what's the technical difference?
        warboat
    • I agree

      I am just not wiling to freely give up my biometric info. Just imagine if that's ever compromised. It like the SSN debacle we have now.

      For me, the only acceptable solution is a credible alias. Smart people already get this.

      Mark my words: the value of an alias will only increase with time. -Cornhead circa 2013.
      CornheadsBack
      • alias

        Will you also agree that your alias will get to live your life, instead of you?
        danbi
        • The secret of an alias is...

          ...if it's ever compromised you just get a new one.
          CornheadsBack
    • What are those techies

      Biometrics are converted into data streams that quite easily are intercepted unless one use applied cryptology in the aim to make it more difficult to interpret such data.

      Check up how computers work b4 pulling together complex solutions.

      Status will be QO while making some hardware manufacturers happy and rich, only.
      X15meshman
  • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

    Probably 60-75% of the time I access Facebook/LinkedIn/Gmail/etc. from a mobile device that doesn't have the capability to do any type of two-factor authentication, let alone biometrics. I would also love to see the false-positive and false-negative rates on the various types of biometric ID, and to what extent that is based on the hardware and software combination used.

    In short, I don't think we're anywhere near being ready to support biometric ID across the board, but I'll grant you, we're closer than we were two years ago.
    Real World
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @Real World

      Biometrics, unless you are talking military-grade, is VERY unreliable. Believe me, I tested a fingerprint scanner one time that my cousin brought home (they were thinking of using them on the police computers) and we couldn't get the thing to recognize the fingerprint scan as being authorized more than 1 out of 10 times.

      This was a consumer level device, but that is the point: it's what most people would use.
      Lerianis10
      • Seems to work for some and not others.

        @Lerianis10 We ran a test a while back at my office. The print readers worked well for some people but not for others. I was one of the people it just wouldn't work for (with results similar to your 1 in 10 example) while for others it worked most of the time.

        The other thing I have against this idea is that if it becomes widespread, every friend and relative I have will be calling me for their free tech support on it.
        cornpie
        • Re: it worked most of the time

          Would you agree to have a security system, that most of the time will let you in and most of the time will keep the bad guys out?
          danbi