This article was taken from the January 2013
issue of Wired magazine. Be the first to read Wired's articles in
print before they're posted online, and get your hands on loads of
additional content by subscribing online.
You have a secret that could ruin your life. It's not a
well-kept secret, either.
Just a string of characters -- maybe six if you're careless, 16
if you're cautious -- that can reveal everything.
Your email. Your bank account. Your address and credit-card
number. Photos of your kids or, worse, of yourself, naked. The
precise location where you're sitting right now as you read these
words. Since the dawn of the information age, we've bought into the
idea that a password, so long as it's elaborate enough, is an
adequate means of protecting all this precious data. But in 2012
that's a fallacy, a fantasy, an outdated sales pitch. And anyone
who still mouths it is a sucker -- or someone who takes you for
one.
No matter how complex or unique, your passwords can no longer
protect you.
Look around.
Leaks and dumps -- hackers breaking into computer systems and
releasing lists of usernames and passwords on the open web -- are
now regular occurrences. The way we daisy-chain accounts, with our
email address doubling as a universal login, creates a single point
of failure that can be exploited with devastating results. Thanks
to an explosion of personal information being stored in the cloud,
tricking customer-service agents into resetting passwords has never
been easier. All a hacker has to do is use personal information
that's publicly available on one service to gain entry into
another.
This summer, hackers destroyed my entire digital life in the
span of an hour. My Apple, Twitter, and Gmail passwords were all
robust -- seven, ten and 19 characters respectively, all
alphanumeric, some with symbols thrown in as well -- but the three
accounts were linked, so once the hackers had conned their way into
one, they had them all. They really just wanted my Twitter handle:
@mat. As a three-letter username, it's considered prestigious. And
to delay me from getting it back, they used my Apple account to
wipe every one of my devices, my iPhone and iPad and MacBook,
deleting all my messages and documents and every picture I'd ever
taken of my 18-month-old daughter.
Since that awful day, I've devoted myself to researching the
world of online security. And what I have found is utterly
terrifying. Our digital lives are simply too easy to crack. Imagine
that I want to get into your email. Let's say you're on AOL. All I
need to do is go to the website and supply your name plus maybe the
city you were born in, info that's easy to find in the age of
Google. With that, AOL gives me a password reset and I can log in
as you.
So, what's the first thing I do? Search for the word "bank" to
figure out where you do your online banking. I go there and click
on the "Forgot Password?" link. I get the password reset and log in
to your account, which I control. Now I own your bank account
as well as your email.
This summer I learned how to get into, well, everything. With
two minutes and $4 (£2.50) to spend at a sketchy foreign website, I
could report back with your credit card, phone number, and your
home address. Allow me five minutes more and I could be inside
your accounts for, say, Amazon, Best Buy, Hulu, Microsoft and
Netflix. With yet ten more, I could take over your
AT&T, Comcast, and Verizon. Give me 20 -- total -- and I own
your PayPal. Some of those security holes are plugged now. But not
all -- and new ones are discovered every day.
The common weakness in these hacks is the user's password. It's
an artefact from a time when our computers were not
hyper-connected. Today, nothing you do, no precaution you take, no
long or random string of characters can stop a truly dedicated and
devious individual from cracking your account and clearing you
out. The age of the password has come to an end; we just haven't
realised it yet.
Passwords are as old as civilisation. And for as long as they've
existed, people have been breaking them.
In 413 BC, at the height of the Peloponnesian War, the Athenian
general Demosthenes landed in Sicily with 5,000 soldiers to assist
in the attack on Syracuse. Things were looking good for the Greeks.
Syracuse, a key ally of Sparta, seemed sure to fall.
But during a chaotic nighttime battle at Epipole, Demosthenes's
forces were scattered, and while attempting to regroup they began
calling out their watchword, a prearranged term that would identify
soldiers as friendly. The Syracusans learned of the code and passed
it quietly through their ranks. At times when the Greeks looked too
formidable, the watchword allowed their opponents to pose as
allies. Employing this ruse, the Syracusans decimated the invaders,
and when the Sun rose, their cavalry mopped up the rest. It was a
turning point in the war.
The first computers to use passwords were likely those in MIT's Compatible
Time-Sharing System (CTSS), developed in 1961. To limit the time
any one user could spend on the system, CTSS used a login to ration
access. It only took until 1962 when a PhD student named Allan
Scherr defeated the login with a simple hack: he located the file
containing the passwords and printed out all of them. After that,
he got as much time as he wanted.
During the formative years of the web, passwords worked pretty
well. This was due largely to how little data they actually needed
to protect. Our passwords were limited to a handful of
applications: an ISP for email and maybe an e-commerce site or two.
Because almost no personal information was in the cloud -- the
cloud was barely a wisp at that point -- there was little payoff
for breaking into an individual's accounts; the serious hackers
were still going after big corporate systems. So we were lulled
into complacency. Email addresses morphed into a sort of universal
login, serving as our username just about everywhere. This practice
persisted even as the number of accounts -- the number of failure
points -- grew exponentially. Web-based email was the gateway to a
new slate of cloud apps. We began banking in the cloud, tracking
our finances in the cloud and doing our taxes in the cloud. We
stashed our photos, our documents, our data in the cloud.
Eventually, as the number of epic hacks increased, we started to
lean on a curious psychological crutch: the notion of the "strong"
password. It's the compromise that web companies came up with to
keep people signing up and entrusting data to their sites. It's the
sticking plaster that's being washed away in a river of blood.
***
Every security framework needs to make two major trade-offs to
function in the real world. The first is convenience: the most
secure system isn't any good if it's a pain to access. A
256-character hexadecimal password might keep your data safe, but
you're no more likely to get into your account than anyone else.
Better security is easy if you're willing to inconvenience users,
but that's not a workable compromise.
The second trade-off is privacy. If the whole system is designed
to keep data secret, users will hardly stand for a security regime
that shreds their privacy. Imagine a safe that has no key or a
password, because security techs are in the room, watching it 24/7,
and they unlock the safe whenever they see that it's you. Without
privacy, we could have perfect security, but no one would accept a
system like that.
For decades now, web companies have been terrified by both
trade-offs. They have wanted the act of signing up and using their
service to seem both totally private and perfectly simple - the
very state of affairs that makes adequate security impossible. So
they've settled on the strong password as the cure. Make it long
enough, throw in some caps and numbers, and everything will be
fine.
But for years it hasn't been fine. In the age of the algorithm,
when our laptops pack more processing power than a high-end
workstation did a decade ago, cracking a long password with
brute-force computation takes just a few million extra cycles.
That's not even counting the new hacking techniques that simply
steal our passwords or bypass them entirely -- techniques that no
password length or complexity can ever prevent. The number of data
breaches in the US increased by 67 per cent in 2011, and each major
breach is enormously expensive: after Sony's PlayStation
account database was hacked in 2011, the company had to shell out
$171 million to rebuild its network and protect users from
identity theft. Add up the total cost, including lost business, and
a single hack can become a billion-dollar catastrophe.
How do our online passwords fall? In every imaginable way:
they're guessed, lifted from a password dump, cracked by brute
force, stolen with a keylogger or reset by conning a company's
customer-support department.
Let's start with the simplest hack: guessing. Carelessness, it
turns out, is the biggest security risk of all. When security
consultant Mark Burnett compiled a list of the 10,000 most common
passwords based on easily available sources (such as passwords
dumped online by hackers and simple Google searches), he found the
number-one password people used was, yes, "password". The second
most popular? "123456". Free software tools with names such as Cain
and Abel or John the Ripper automate password-cracking to such an
extent that any idiot can do it. All you need is an internet
connection and a list of common passwords -- readily available in
handy database formats.
What's shocking isn't that people still use such terrible
passwords, it's that some companies allow it. The same lists that
can be used to crack passwords can also be used to make sure no one
is able to choose those passwords in the first place. But saving us
from our bad habits isn't nearly enough to salvage the system.
Our other common mistake is password reuse. During the past two
years, more than 280 million "hashes" (encrypted but crackable
passwords) have been dumped online for everyone to see. LinkedIn,
Yahoo!, Gawker and eHarmony all had security breaches in which the
usernames and passwords of millions of people were stolen and then
dropped on the open web. A comparison of two dumps found that
49 per cent of people had reused usernames and passwords
between the hacked sites.
"Password reuse is what really kills you," says Diana Smetters,
a software engineer at Google who works on authentication systems.
"There is a very efficient economy for exchanging that
information." Your login may have already been compromised, and you
might not know it -- until an account is destroyed.
Hackers also get our passwords through trickery. The most
well-known technique is phishing, which involves mimicking a
familiar site and asking users to enter their login information.
Steven Downey, CTO of Shipley Energy in Pennsylvania, describes how
this technique compromised the online account of one of his
company's board members. The executive had used a complex
alphanumeric password to protect her AOL email, but was tricked
into freely giving it up.
The hacker phished his way in: he sent her an email that linked
to a bogus AOL page, which asked for her password. She entered it.
After that he did nothing. At first, that is. The hacker just
lurked, reading all her messages and getting to know her. He
learned where she banked and that she had an accountant who handled
her finances. He even learned her electronic mannerisms, the
phrases and salutations she used. Only then did he pose as her and
send an email to her accountant, ordering three separate wire
transfers totalling $120,000 (£74,000) to a bank in Australia. Her
bank at home sent $89,000 (£55,000) before the scam was
detected.
Even more sinister is malware: hidden programs that secretly
send your data to other people. According to a
Verizon report, malware attacks accounted for 69 per cent
of US data breaches in 2011. Malware commonly installs a keylogger
or some other spyware. Its targets are often large organisations,
where the goal is not to steal one or a thousand passwords, but to
access an entire system.
One example is ZeuS, a piece of malware that first appeared in
2007. Clicking a link, usually in a phishing email, installs it on
your computer. Then it waits for you to log in to an online banking
account: ZeuS grabs your password and sends it to the hacker. In a
single case in 2010, the FBI helped apprehend five people in
Ukraine who had employed ZeuS to steal $70 million from 390
victims, primarily small businesses in the US. "Hackers are going
after small businesses," says Jeremy Grant, who runs the US
Department of Commerce's National Strategy for Trusted Identities
in Cyberspace, which is figuring out how to get us past the current
password regime. "They have more money than individuals and less
protection than large corporations."
If our problems with passwords ended there, we could probably
save the system. We could ban poor passwords and discourage reuse.
We could train people to outsmart phishing attempts. We could
use antivirus software to root out malware.
But we'd be left with the weakest link of all: human memory.
Passwords need to be hard in order not to be routinely cracked or
guessed. So if your password is any good at all, there's a very
good chance you'll forget it. Because of that, every password-based
system needs a reset mechanism. And the inevitable trade-offs
(security vs privacy vs convenience) mean that recovering a
forgotten password can't be too onerous. That's what opens your
account to being easily overtaken via social engineering. Although
"socialing" was responsible for just seven per cent of the
hacking cases that US government agencies tracked in 2011, it raked
in 37 per cent of the total data stolen.
Socialing is how my Apple ID was stolen this past summer. The
hackers persuaded Apple to reset my password by calling the
help-line and using my address details and the last four digits of
my credit card. As I had designated my Apple mailbox as a backup
for my Gmail account, the hackers could reset that too, deleting
eight years of email and documents. They posed as me on Twitter and
posted racist and anti-gay diatribes there.
After my story set off a wave of publicity, Apple changed its
practices: it temporarily quit issuing password resets over the
phone. But you could still get one online. And so a month later, a
different exploit was used against New York Times
technology columnist David Pogue. The hackers were able to reset
his password online by getting past his "security questions".
To reset a lost login, you need to supply answers to questions
that (supposedly) only you know. Pogue had picked (1) What was your
first car? (2) What is your favourite model of car? and (3) Where
were you on January 1, 2000? Answers to the first two were
available on Google: he had written that a Corolla had been his
first car, and had recently praised his Toyota Prius. The hackers
simply took a wild guess on the third question: "party". Lots of
people use that one.