It takes a village to kill a password

It takes a village to kill a password

Summary: Do end-users, online services, email providers and other invested parties have a collective conscience that can build a better credential and make the Web a safer place?

TOPICS: Security, Networking

Initially I chuckled at Twitter’s password advice in the wake of hacks on the accounts of Burger King and Jeep.

The social media site was stealthily admonishing users for their poor password habits (easy to guess, too short, poorly configured, re-used) in a beat-your-head-against-a-wall lecture that end-users have heard and ignored for decades.

And the irony was rich.

Late last month, Twitter itself was the victim of a hack showing its inability to properly configure its own protections for its sensitive data. The result was upwards of 250,000 Twitter users having to reset their passwords.

Were Burger King and Jeep the victim of their own poor password policies?  Or were passwords stolen from Twitter or any number of other  repositories hacked in the past 24 months or so (LinkedIn, Facebook, Apple, Zappos, Sony) the source of the passwords? Passwords that perhaps were re-used on multiple sites by end-users - one of the no-no’s of Twitter's (and others) rant on good password hygiene.

But as you look at the dynamics of the hacks, and where blame might lie, it is clear from either side that they're really in this together. And they're starting to work on it.

Today, Twitter announced it has been using a technology called "Domain-based Message Authentication, Reporting & Conformance." DMARC is targeted at reducing the number of phishing emails looking to trick users out of their account passwords. DMARC standardizes how email receivers perform email authentication.

DMARC was created by a group of organizations that includes Bank of America, Fidelity, JPMorgan Chase, Comcast, PayPal, Facebook, LinkedIn, and email providers AOL, Microsoft, Yahoo, and Google.

"DMARC gives email providers a way to block email from forged domains popping up in inboxes. And that in turn lessens the risk users face of mistakenly giving away personal information," wrote Twitter's Postmaster Josh Aberant in a blog post today.

That's one major effort to reduce password theft.

Earlier this week, Google updated its war on account hijackers, those who steal (or buy on the black market) credentials of email accounts they can use for sending spam to the account holder's contacts.

"We’ve seen a single attacker using stolen passwords attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second," Mike Hearn, a Google security engineer, wrote in a blog post.

So Google instituted a risk analysis system that kicks in when users sign on to their email accounts. The system has some 120 variables. Suspicious looking log-ins, say from the other side of the world from where the user normally resides, are met with some inquiring challenges - say a phone number or secondary email associated with the account.

Google says the results were a reduction in the number of compromised accounts by 99.7% since the peak of hijacking attempts in 2011.

And like Twitter, Google asked end-users to do their part in protecting their accounts with strong and unique passwords, two-step verification, and new recovery options such as secondary email addresses.

In addition, continuing efforts such as the National Strategy for Trusted Identities in Cyberspace (NSTIC), which is attempting to build an identity layer for the Internet - and standards work around authentication, authorization that will benefit cloud and mobile services - all play a part.

Next week at the annual RSA Conference, identity will cut a wide swath with a number of panels and speakers discussing what is possible, and vendors showing how to build it.

Some will argue this federated identity "ecosystem" is just one credential and a single point of failure. But the target is a better-crafted credential and a better-protected system of connections that includes tokens and trust relationships. A set of identity providers, who have liability and revenue at stake, and a revocation/de-provisioning system that can cascade across domains.

None of these actions, words of advice, or product suites taken individually is a silver bullet, but collectively there might just be a silver lining.

Topics: Security, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wiggle Your Finger Identification

    Hi John,

    I believe you will find that a new version of biometric identification called MovementMetric Identification™ will replace all current measures that are used to grant and deny cyber access.

    MovementMetric Identification™utilizes changes that occur with the movement of any part of your body.

    One example of use would be to observe the wrinkles at any one of the knuckles of any of your fingers, the patterns that occur in these wrinkles during the movement of your finger can never be replicated for use by any other person or any device.

    So... in the near future, we will simply wiggle our finger in front of a camera if we wish to be accurately identified. No tokens, no passwords, and no other tricks will be needed to keep others out of our cyber stuff, the wrinkles in just one knuckle will soon be the only key we will ever need.

    Information about the use of MovementMetric Identification™ to improve upon our current computing resources and computing environments can be found at

    Welcome to the Future!
    • Until..

      you have a band-aid over that knuckle, or a blister, or a new cut, or jewelery, or lost the hair on the knuckle due to brief exposure to open flame.

      Is there an inherent assumption that fingers are inseparable from the body?

      Just Devil's advocating here, but otherwise it sounds interesting. I am skeptical.
      • Okay, then wink, wrinkle up your face, or just use another finger!

        One knuckle of any finger was just an example, the process can utilize any part of your body that can be observed, so, observation of a natural blink of your eye, or your mouth as you speak or breathe, or patterns that occur with the movement of all of your fingers could just as easily been used for providing 100% accurate MovementMetric Identification™ determinations.
        • Until...

          You are in a car accident and the eye is damaged.

          Bottom line is biometric identification is not a good choice, because anything can happen to pretty much any identifying part of the body.

          Not to mention, what about systems that don't have cameras.

          And how do we know that the picture taken is secure? It is easy enough to patch through a video to appear like it is coming from a live camera. What stops someone from taking a copy of what you are sending to log in and then using it to log in themselves?
    • An electrical device cannot recognize a physical object... has to be broken down into patterns, which are then broken down into data streams, which are then stored as hashes or as plain text. That is the same problem we have with passwords, they are converted into hashes, or actually stored as plain text. Passwords can be unhashed by brute force, and biometrics will be too. It is just kicking the can down the road a bit.
  • Still beatable

    Will a camera not be fooled by me holding up a video of you wiggling your finger?

    A three fold system would probably be more secure.

    Something about you, (biometrics)
    Something you know, (password) and
    Something you have (a dynamic token based on a shared secret key/pair).
    • Less is more

      The camera will do it all by itself, Movementmetrics™ uses unique biological characteristics of a person that can never be replicated by any other person or any device, I don't think the same can be said about a password or a token.
      • Nobody has done that yet

        Why would we believe the sensors can't be fooled now?
  • Password managers suck!

    End users need password managers that interface effortlessly with desktop apps, websites, and mobile apps. Currently even the best password managers are horrible clunky.
  • Skinning a cat

    There are many ways of skinning this particular cat. No single technology has all the answers and some solutions are still waiting for appropriate questions to be asked.
    NSTIC, which you reference, is first and foremost about building out an ecosystem of various solutions appropriate to different environments and needs and giving consumers, businesses and public authorities greater confidence in using one or other trust framework in any transaction using visible and measurable trust and confidence measures.
    As in any ecosystem, gene pool diversity ensures evolution to deal with new threats as they arise. Depending on any single method or solution ought to be treated with caution.
  • Voice Dialog

    The best method of authentication for most situations, not requiring a user to remember a password, or remember to carry a magic token of some type and not leave it at home, would be a voice dialog. User says "computer" or "login" or some other keyword to start. Computer displays a word, phrase or sentence. User reads it back in a natural voice. Computer verifies that the user's response has BOTH the correct CONTENT and the correct VOICEPRINT. Since the computer selects the word or phrase at random, unauthorized users cannot just play back a recording of the authorized user speaking a password.

    The exceptional situations would be few, but might include (a) the user has laryngitis, or (b) the user is in a library, public event, or hiding from a deadly enemy, and cannot speak out loud.

    As an alternative, how about having a DNA analysis device built into the computer, the user breathes into an opening, and the analyzer checks the user's exhaled DNA. OK, that may be going too far. I am not even sure if enough DNA to be analyzed is present in exhaled breath, and I would definitely not want to spit on the computer (even though we all feel like it at times). If a sensitive enough magnetic detector for EEG (actually MEG) were developed, the computer could read the user's brain wave activity and look for the fingerprint registered for that user.
    • Only the last of those...

      ... could be secure enough. And even then the sensor could be modified, and you could run a "replay attack" if it isn't secure enough.

      The only method I trust right now is secure personal physical tokens.
    • Every method you speak of...

      requires the method to be broken down into a data stream, then stored. If someone can steal my password hash from twitter and decrypt it, then someone can steal my voiceprint hash, my fingerprint hash, or my brainwave hash, and decrypt it. Sure, it may be more secure now, but wait two years, and someone will be decrypting those with inexpensive graphics cards and a script on the internet.

      Steven Wright, the comic, had the right idea. Put 12 locks on your front door but only lock half of them. No matter how long someone stands there and picks those locks, they will always be relocking half of them!
  • I'll humbly suggest

    that this problem of "internet wide" authentication and security is not separable from the hungry hunt of social media, search engines, and data aggregators of all stripes to get, keep, analyze and sell credit card identities and information about them. I don't give a royal hoot about any information associated with "I2K4" and if some hacker or communist agent gets it I'll change it and go with "I2K5". But the "real me" is a horse of a different color, as Dorothy realized in The Wizard of Oz on her way to the secret chamber.