Password breaches: End-user carnage is unspoken heartache

Password breaches: End-user carnage is unspoken heartache

Summary: Password breaches torture end-users more so than the hacked company, merchant or service.

TOPICS: Security, Networking
Password breaches End-user carnage is unspoken heartache

Hear the chorus: Digital life must evolve beyond passwords.

See the reality: eBay, Spotify, Avast, Adobe, Yahoo, Target, Twitter, ZapposGawkerSony, Apple (twice), Fox, CBS, Warner Bros.,, LinkedIn,, Neiman Marcus Group Ltd., and Michaels Stores Inc.

All hacked.

I know I've missed many, but there likely will be more to add in a few weeks or even days.

From a corporate perspective, the reputation backlash and financial hit from a password or data breach has become so stifling that Spotify reacted this week to the theft of a single user’s data by asking nearly 40 million other customers to change their passwords.

Target’s breach bill could eventually top $1 billion — 2.8 percent of its market cap. The CIO and the CEO have resigned. The company’s year-over-year 2013 fourth-quarter profits were down 46 percent.

"Would you rather call a 1-800 number to end the carnage or change a password on each of the 25-30 sites where it was re-used and then wait for the next stealth attack or breach?"

The end-user carnage? Unknown because losing your personal data can easily turn into 20-miles of uncharted broken glass. Password breaches torture end-users more so than the company, merchant or service. Stolen passwords are sold on the black market and new hacks come at users from unexpected and unusual angles, and with the original hacked company too obscured by the trail of tears to be tagged with liability.

Wait until your biometric data is hijacked. Try changing your fingerprint, or iris scan – or undergoing a nose job, chin lift, or eye-lid reconstruction — to update your biometric passcodes.

Passwords are off the rails. Access control in tatters. And many companies are proving they’re not secure or savvy enough to protect personal data – or don’t have a care to do so.

Last year, Deloitte Canada’s research organization said 90 percent of user-generated passwords would be relevant for mere seconds under pressure from hackers.

What’s a big next step toward repair?

Consumers must finally see the value of their personal data and demand protections when it's shared with providers. The argument is the same for IT and enterprise user populations let loose in a world where cloud apps and services are as much a part of the network as a Cisco router.

A recent Ponemon Institute report says 110 million American adults had their personal data exposed by hackers in the past 12 months alone, which totals some 432 million accounts. And that number can grow exponentially if the passwords to those millions of accounts were re-used on other accounts.

Corporations are first buddying up to protect themselves.

This week, the Retail Industry Leaders Association and major retailers debuted the Retail Cyber Intelligence Sharing Center (RCISC) to identify and prevent cyber attacks.

Six Clicks

How do you keep track of all your passwords?

How do you keep track of all your passwords?

If you have just one password for everything it's easy to remember, but we all know that isn't safe. So how do you keep track of a large number of them - and not have to worry about it?

It’s a noble cause, but the profile of these hacks, including Target and eBay, show the damage was done well before the hacks were even discovered.  So sharing would happen post breach. With that track record, the best RCISC will get is a sacrificial lamb whose experience may help other members. With attack vectors constantly changing, that’s a losing game to play.

RCISC's board of directors includes senior executives from Target, American Eagle Outfitters, Gap, JC Penney, Lowe's, Nike, and Walgreens Co.

Government agencies include the U.S. Department of Homeland Security, U.S. Secret Service and Federal Bureau of Investigation.

If these corporate alliances include in their mission protecting customer data than where is an agency like the FTC’s Consumer Protection Bureau in the equation? The FTC is not ignoring digital life. They are advocating for more protection so consumers can control their personal information.

It is disingenuous when a hacked company announces that financial information was not breached. It implies financial data is more valuable than personal data.

But it is common knowledge that consumers are not liable for unauthorized credit card transactions. Visa, MasterCard, Discover, and American Express all offer $0 liability guarantees.

Would you rather call a 1-800 number to end the carnage or change a password on each of the 25-30 sites where it was re-used and then wait for the next stealth attack or breach?

Retailers and service providers need to get out of the password game, it is not their core competency and they eventually hurt their customers, their reputations and their bottom line.

In a new and emerging architecture, identity providers (IdPs) will take on responsibility — and more important liability — for authentication, personal data and other identifying attributes.  It will be contractual. That’s called skin in the game.

The OAuth 2.0 protocol gaining favor among IdPs such as Google, Yahoo and IT software  vendors provides the pro-active ability to revoke user access tokens in case of a breach. Instead of asking end-users to change passwords they are asked to re-authenticate to get a new token.

And there are other on-going efforts including multi-factor authentication, federated SSO, and on-board mobile access controls.

Perhaps something like a sky-high hike in insurance liability policies for those companies issuing and storing user passwords might convince corporate executives that passwords are no longer a gamble worth taking.

When you build your business in a flood plain, you pay extra to insure against disaster. And passwords are in the saturated throes of a 100-year event.

Even the inventor of the password, 87-year-old Fernando Corbató, said last week, “unfortunately, it’s become kind of a nightmare.”

Yes, it is a nightmare. For end-users, especially. They trust their stored personal data will be protected via current standards; they suffer when their data is stolen, and they can’t write the consequences off on their balance sheets.

What additional steps do you think are needed to address or limit the password problem?

Related coverage:

Topics: Security, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And yet... there is nothing better.

    PKI? no - the pass phrase is also a password.

    Guess what? PKI isn't even used for the communication. Instead it is likely using AES or some other symmetric cypher-- with (guess what?) more passwords - hopefully generated by a good random number generator... But that fails too.

    So passwords aren't going anywhere. They are still the best way of confirming that the person on the other end is who they claim to be.

    No biometric measure will do - they have ALL been faked at one time or another.

    Now using GOOD passwords is not easy. Password phrases are better... but it still needs to be an UNUSUAL phrase. Common phrases fail just like using common words. The only advantage to the long passphrase is really the difficulty of creating rainbow tables to attack it.
    • Paraphasing Churchill

      Password are the worst security method but I can not find method that is better.
    • Biometrics require physical access to the users . . .

      "No biometric measure will do - they have ALL been faked at one time or another."

      Biometrics require physical access to the users, though. If a database gets hacked at somebody's server, now the hackers have access to thousands or millions of email addresses, user names, phone numbers, etc - whatever the database is storing (except actual passwords, which are usually hashed/encrypted).

      If somebody fakes your fingerprint, they have access to you. And that's about it. Sure, it sucks for you, but gaining access to one person's data is a lot less of a problem than gaining access to the data of millions of people.
      • No they don't.

        All you have to do is capture one during a scan...

        Just like you do with capturing a password.
        • Actually . . .

          "All you have to do is capture one during a scan..."

          Actually, that depends on the implementation. The iPhone 5's fingerprint scanner has its own processor and doesn't share the actual scan with the primary CPU. It only shares the fingerprint of the fingerprint, so to speak.
      • Depends on where the biometrics are used.

        If you're using them to authenticate to a local password safe, it's fine-ish (though there are still some tradeoffs - are your enemies more likely to be shouldersurfers or to know your name?)

        Using them to actually authenticate to a remote server makes bulk compromises trivial, though - most people have fewer than a dozen fingers, several of which are often stored unencrypted in various government records, and widespread acceptance of biometric auth makes it easier for attackers and leakers to collect large databases of their own.
  • CEO's not hurt

    Mentioning target CEO -
    Shame some CEO has to retire with only 21.3 million. If companies and their executives were held liable they might then be investing into tools to stop breaches or maybe not storing our personal data forever on their computers.
    Silent Observer
  • Rethink where we store our data.

    I suggest we rethink where we store our data. putting absolutely everything in the cloud, especially sensitive data - not such a hot idea. Maybe we have to seek a model where some stuff stays offline. I know cloud purists hate that idea - but is there really a better alternative?

    Maybe biometrics, but that's really a ways away right now. We don't have good standards or best practices laid out for biometrics yet, and consumers are slow to pick up biometrics.
  • The cumulative effect of

    all these alerts is going to have a serious impact on the whole industry. First you read about some that don't impact you, then Heartbleed makes you change half a dozen logins, then eBay which goes beyond passwords. There is some tolerable limit before users start canceling their online accounts to spare themselves the headache. The whole joy of online financial transactions is supposed to be convenience, not sweating every next hacker emergency.
    • Which is why Kerberos works so well.

      No fixed passwords other than when initializing the principle. After that, random passwords are embedded in a time limited encrypted principle ticket (ours were 10 hours). Each connection requires a service ticket (limited by the remaining time of the principle ticket) which may be reused within the remaining time. And instead of one key, it uses two - one for transmission, one for receiving data. Using tickets with addresses embedded is even stronger - a stolen ticket doesn't work, as it is tied to the address it was used on. Unfortunately NAT breaks this a bit, as the embedded address has to be the public address, not the private address, so use of addressless tickets is common; but less secure.

      Unfortunately, using a SINGLE identity doesn't scale into the millions/billions of target accounts (10s of thousands, yes) - you would need a LOT of servers, and registration for servers is not exactly trivial (about the same overhead as for PKI). Even server identity expires (ours required renewal every month).

      Not good for web browsing though - EACH connection to a different server requires a service ticket to be obtained first. Considering the number of different ad servers contacted for a single web page would quadruple the overhead, even assuming only one authentication server. If there were thousands.... each domain would have to have a principle ticket obtained... And if you didn't require it, then something like https would be broken as some things would be encrypted, most would not, and that makes identifying a secure page impossible.
  • Defenders lose

    The problem with cloud is defenders have to be *perfect*, even one hole and its game over.

    Hackers only have to be lucky once, and there's millions of them, with their numbers multiplied by the computers they control.

    Worse, there are no good defenses, much less perfect ones. So why in the hell are we as an industry rushing to the cloud like lemmings bulldozed off a cliff?

    Until the authentication/identity issue is solved (and that's an NP-hard problem) the cloud is not ready for prime time. Even though every cloud company is lying through its teeth and says it is.
  • :) Sorry, you've already used that email/password combo...

    "... On [list of other, previously exploited, websites we check]. Don't be alarmed. If you think it's odd that a "good" site is checking your password against the other sites, consider what the bad guys are doing."
  • Use a good password manager

    that way you can have one master password stored locally on your computer and all your other login passwords can be long and unique to each online account. On a laptop or mobile device also make sure that your master password is long, at least 12 random characters. Computers are much better at remembering things than people. Take advantage of that capability.