It appears the tide has shifted; the passwords are now more valuable to hackers than they are to the enterprise users and consumers that create them.
The New York Times reported Tuesday that “a Russian crime ring has amassed the largest known collection of stolen internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses.”
Once again, Milwaukee-based Hold Security was the discoverer of the pilfered passwords cache, which the hackers built by breaking into some 420,000 large and small websites.
But while trouble is on the doorstep, help is on the way in the form of new authentication schemes, including multi-factor, and other attribute services — such as location and context — that when used together offer better security for users and harder challenges for hackers to re-use stolen usernames and passwords.
As I’ve said here before, it is time end-users realize their personal data has value, including username and password. For those who can’t calculate that value, know that Facebook didn’t develop a $189 billion market cap harvesting corn on Farmville. That cap was built on personal data willingly provided by its end-users.
And protecting that value is getting to be more than passwords can handle. Consider the effort of changing your password at dozens upon dozens of web sites, some of which may be your bank and other financial services (with the names of those institutions conveniently pulled from your hacked email account). And compare that pain to credit card theft, which is solved by a single phone call and a liability contract that puts the cardholder’s responsibility at $0 but nevertheless puts a sense of doom into consumers.
And consider the multitude of avenues open once hackers have your credentials. Stolen passwords are sold on the black market and are used for new hacks that come at users from unexpected and unusual angles.
Given the continuing use of passwords such as “Password” and “12345” the perception is identity, and personal data, hold little value. But it's high time prevailing wisdom questions that perception; hackers sure are.
In 2013, Deloitte Canada’s research organization said 90 percent of user-generated passwords would be relevant for mere seconds under pressure from hackers.
The Russian contingent set a new benchmark, pushing the needle into the billions of records — a potential black-market bonanza on the backs of user credentials, typically weak and replayed across sites on the internet.
And if you're hoping the carnage will end, consider that the hundreds of millions of records stolen from Target last December had lost 70 percent of their value on the black market in the first two months post-breach, according to a report by security expert Brian Krebs. That gives internet users roughly a 60-day window before a new batch of stolen credentials starts the assault cycle once again.
What’s the answer? Is there an answer?
There is not one answer, but a series of methods savvy enterprises and end-users can use to get out of the line of fire and into a foxhole. Face it, passwords are not going away any time soon; what they need is a call for back-up and a culture shift in the security vs. convenience pattern.
Multi-factor authentication (MFA) options built on smartphones have emerged in mainstream sites from Facebook to Google to GitHub to Twitter. The FIDO (Fast Identity Online) Alliance — formed in July 2012 to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services — is gaining steam.
Google has said it will include FIDO’s U2F open standard in its Chrome browser later this year, which will bring with it options for a new range of devices and strong authentication from security vendors.
The historical resistance to today’s MFA — tedious typing and re-typing of credentials — will test end-user’s willingness to bend the security/convenience continuum.
Look for biometrics to help with the bending. Fingerprint readers on Apple's iPhone 5 and Samsung’s Galaxy S5 show that more effort and more money are being pumped into biometric-based authentication options that include voice and facial recognition. And look for devices to provide location and context, among other attributes, that will also help triangulate the identity of a user.
Online identity services that take on the task of authentication, federation and user ID management are increasing in popularity among enterprises. End-users will need to pay attention to pick out options that are defining the future, while IT will need to pay attention to the construction of hybrid identity infrastructures that leverage existing build-outs and regulatory-inspired internal security boundaries.
The authentication space is gaining momentum with end-user awareness, vendor tools (both hardware and software), and online services. But they better hurry in order to catch hackers already up to warp speed.