It takes a village to kill a password
Initially I chuckled at Twitter’s password advice in the wake of hacks on the accounts of Burger King and Jeep.
The social media site was stealthily admonishing users for their poor password habits (easy to guess, too short, poorly configured, re-used) in a beat-your-head-against-a-wall lecture that end-users have heard and ignored for decades.
And the irony was rich.
Late last month, Twitter itself was the victim of a hack showing its inability to properly configure its own protections for its sensitive data. The result was upwards of 250,000 Twitter users having to reset their passwords.
Were Burger King and Jeep the victim of their own poor password policies? Or were passwords stolen from Twitter or any number of other repositories hacked in the past 24 months or so (LinkedIn, Facebook, Apple, Zappos, Sony) the source of the passwords? Passwords that perhaps were re-used on multiple sites by end-users - one of the no-no’s of Twitter's (and others) rant on good password hygiene.
But as you look at the dynamics of the hacks, and where blame might lie, it is clear from either side that they're really in this together. And they're starting to work on it.
Today, Twitter announced it has been using a technology called "Domain-based Message Authentication, Reporting & Conformance." DMARC is targeted at reducing the number of phishing emails looking to trick users out of their account passwords. DMARC standardizes how email receivers perform email authentication.
DMARC was created by a group of organizations that includes Bank of America, Fidelity, JPMorgan Chase, Comcast, PayPal, Facebook, LinkedIn, and email providers AOL, Microsoft, Yahoo, and Google.
"DMARC gives email providers a way to block email from forged domains popping up in inboxes. And that in turn lessens the risk users face of mistakenly giving away personal information," wrote Twitter's Postmaster Josh Aberant in a blog post today.
That's one major effort to reduce password theft.
Earlier this week, Google updated its war on account hijackers, those who steal (or buy on the black market) credentials of email accounts they can use for sending spam to the account holder's contacts.
"We’ve seen a single attacker using stolen passwords attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second," Mike Hearn, a Google security engineer, wrote in a blog post.
So Google instituted a risk analysis system that kicks in when users sign on to their email accounts. The system has some 120 variables. Suspicious looking log-ins, say from the other side of the world from where the user normally resides, are met with some inquiring challenges - say a phone number or secondary email associated with the account.
Google says the results were a reduction in the number of compromised accounts by 99.7% since the peak of hijacking attempts in 2011.
And like Twitter, Google asked end-users to do their part in protecting their accounts with strong and unique passwords, two-step verification, and new recovery options such as secondary email addresses.
In addition, continuing efforts such as the National Strategy for Trusted Identities in Cyberspace (NSTIC), which is attempting to build an identity layer for the Internet - and standards work around authentication, authorization that will benefit cloud and mobile services - all play a part.
Next week at the annual RSA Conference, identity will cut a wide swath with a number of panels and speakers discussing what is possible, and vendors showing how to build it.
Some will argue this federated identity "ecosystem" is just one credential and a single point of failure. But the target is a better-crafted credential and a better-protected system of connections that includes tokens and trust relationships. A set of identity providers, who have liability and revenue at stake, and a revocation/de-provisioning system that can cascade across domains.
None of these actions, words of advice, or product suites taken individually is a silver bullet, but collectively there might just be a silver lining.