Heartbleed's lesson: Passwords must die

With the multitudes of accounts we have to deal with for email, social networking and other applications that require password authentication, we need a better solution.
Written by Jason Perlow, Senior Contributing Writer

The original version of this article was written in February of 2011. It has been updated with new content.


The Heartbleed bug in the Open Source OpenSSL library has brought renewed attention to the weaknesses of passwords, the mechanism that has been the foundation of computer security for at least 50 years.

I've been saying for a while that passwords and the entire way we approach computer security needs an overhaul. The piece you are reading now was originally written in 2011.

What prompted it? My usual morning commute. Here's what happened:

So this morning I did the usual. I woke up, got out of bed, I answered the call to nature, I popped a K-Cup in my Keurig brewer, and I shuffled downstairs to my home office and logged into my personal email account.

This is the first thing that I saw:

Needless to say, I was not amused. At all.

Now, I generally regard myself as extremely careful with my computer security. To the point of being extremely paranoid about it. I use "strong" passwords, mixed alphanumerics with non-alpha characters.

An example of this would be something like R1tch13R1c4386!

Not only that, but I don't use the same password on all my services. My Google password is unique.

Today, as modern computing users, we're inundated with passwords on all sorts on web and social networking sites. I use GMail, Google+ and all the Google Apps, such as Calendar, Analytics, Docs, et cetera. I use FaceBook. I use LinkedIn. I use Instagram. I use Twitter. I use Flickr.

And yeah, since this article was originally written, all of Microsoft's online services as well. And I'm also an Amazon junkie because I buy practically everything online.

I use two separate blogging accounts, and I have logins on a myriad of other websites and web-based applications, not to mention all the corporate intranet stuff I deal with on a daily basis.

The entire situation has gotten out of control. Keeping track of these requires spreadsheets and documents, stored in various places, because you can't possibly hope to remember them all and when they expire.

And then of course you need to have them reset all the time with your new temporaries sent into your email should you forget them.

So back to my GMail account. Someone had clearly compromised it, this despite the fact that I use strong passwords. 

My PCs aren't the only devices that talk to my Google account. At the time I had two Android phones, as well as an iPad. So the attack vector could have been from anywhere.

In the three years since I wrote the original version of this peice, I own even more devices, which includes a Mac, an iPhone, an iPad Air, a primary work Windows 8.1 laptop, two Windows Phones, a Microsoft Surface Pro, and a couple of Android tablets as well.

Oh yeah. An XBOX One, a Roku and an Apple TV. And I'm probably forgetting all the other Internet of Things stuff living on my wireless network too.

With all of the strong password precautions I took at the time, I still have no idea how that account was compromised.

I can only speculate: It could have been on a rogue Android or iOS app, it could have been a cross site authentication thing on FaceBook, or it could have been as something simple as a email or web-based phishing attack, although I tend to be pretty vigilant about obvious phishing emails which come across my desk on a daily basis now.

It could also have been a "Brute Force" attack, although with "Strong" passwords that becomes more difficult. I also won't rule out Google's servers being penetrated directly.

This all happened three years ago. Back when I originally wrote this, we didn't know what the NSA and presumably, other state-sponsored actors might have been capable of then, although many of us strongly suspected it.

The Heartbleed bug was introduced into the OpenSSL codebase in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. 

The point is, it doesn't matter. If someone like me can get compromised, so can anyone else, especially someone who isn't keeping track of their online accounts and behavior as much as I do.

Let's face it -- passwords suck. Once someone knows what they are, your security is in a world of poo. I would have used a much stronger term than "poo", but I'll let Private Pyle do this for me.

There is a better solution than passwords. That solution is Biometrics.

Biometrics have been used effectively in computing applications for some time, primarily for high-security environments in which the recognizing the unique characteristics of an individual are of paramount importance. Typically, you see them used in in Government, TOP SECRET and Financial systems.

Usually, you see them in the form of either fingerprint or retina scan, and sometimes even voice print identification. There are other ways of doing biometrics, but these are the ones which are in common use.

One such system that used both fingerprint and retina is the CLEAR registered traveler service, which recently re-opened under new ownership with limited service at Orlando airport after its parent company, Verified Identity Pass ceased operations in June of 2009.

Despite the fact that the company had financial troubles and the service may have come before its time, their authentication system itself was one of the best I've ever seen, which used a combination of an electronic identity card containing a biometric signature, as well as retina and fingerprint scanning.

Fingerprint scanners are inexpensive, ranging from $40-$50 retail if you want to add one to your PC. Some higher-end business laptops, such as my Lenovo X1 Carbon Touch, already have them built in.

As a component cost of integrating into a USB keyboard, a laptop, tablet or smartphone, the price is significantly less if you start manufacturing them in the tens of millions. Apple has already proven this by integrating fingerprint scanners into their iPhone 5S, and by Samsung with their new Galaxy S5.

Built-In cameras in laptops and smartphones with high-resolution CCDs and constantly improving macro capability and miniaturized optics also could make retina scan on portable devices and PCs an affordable reality within a number of years.

These solutions could also be combined with RFID implants and/or voice print identification as well as Trusted Platform Modules (TPM) and virtual smartcards to have multiple points of identification, in order to minimize the risk of access due to biometric forgery or coercion under duress (such as being forced to authenticate under gunpoint). 

The cost and integration of the hardware is only part of the problem, though. What we really need is a standardized API that would work on every OS platform and the web, so that you have seamless session-based biometric logins for all the services and applications one might use.

And biometric enrollment must either get centralized, federated or a lot easier to do than it is now.

Given the continued importance of services such as Google Apps, FaceBook, Twitter and other services, as well as the amount of passwords that we now need to maintain, it's starting to look like we need a universal biometric API, and preferably one which has government buy-in in terms of accepted standards.

I'd like to see Google, FaceBook, Amazon, Microsoft, IBM, HP, Oracle and Apple as well as the Office of the CIO of the United States and equivalent organizations in the EU make this a priority.

There's far too much identity theft and password compromises going on and it's costing consumers, businesses and governments hundreds of millions if not billions of dollars a year, not to mention the aggravation and embarrassment of having your data compromised and the harm to your personal and business reputation when it occurs.

With the prevalence of Social Networking, smartphones and mobile applications, do we need a mass-adoption of biometrics? Talk Back and Let Me Know.

Editorial standards