Aug 082012

Movie Hacking vs Real HackingWhen our Hollywood protagonist needs to access a secure system, they are able to use deductive reasoning to magically guess any password they need. With a little logic supposedly you can figure out exactly what password anyone is using in a given moment. And while some people choose poor passwords (the type an idiot might have on their luggage). The good news is that is a bullshit trope. Hollywood is notorious for really terrible representations of hacking and technology. People can’t magically guess your password. The bad news is that they don’t have to.

We live in a world where teenagers (who didn’t require any technical acumen) were able to “hack” Sarah Palin’s email, and the White House Twitter feed. “Script kiddies” with a little technical acumen were able to hack LinkedIn, Sony, Citigroup and others. (In Sony’s case, several of their websites were hacked with very basic SQL injection techniques while the Playstation Network involved physical access to the datacenter).

In the 21st century, technology moves faster than our comprehension for it. Exceedingly profitably companies like Apple make billions finding ways to try and make technology more accessible. In turn, hundreds of millions of consumers feel comfortable integrating technology in their lives that they don’t understand. We choose to trust companies like Apple, Microsoft, Google, Facebook, Amazon, etc. with our personal data, but more importantly, our digital lives. As we stand on the precipice of ubiquitous adoption of cloud computing, the biggest problem isn’t that we can’t trust those companies with our most precious personal data. It is that those companies are merely gatekeepers to our digital lives, and in most cases, that gate can be bypassed with a simple password reset.

The greatest advantage of cloud computing is the notion that your data is forever safe. The hard drive in your computer has an expiration date. At some point it will die and take all its precious data with it. But if I store my pictures, music, email, movies, and musings in the cloud, then they will always live another day (even if laptop were submerged in liquid nitrogen and then destroyed). And yet it was specifically because Mat Honan used cloud services that hackers were able to remotely wipe his phone, laptop, Google account, and all the photos of his daughter.

Teenagers accidentally hacking NORAD in Wargames

Teenagers accidentally hacking NORAD in Wargames. Today they do it intentionally for “lulz”

Even more terrifying is what those hackers could have done. Once they had access to his email, they could have performed password resets for his credit card accounts and used social engineering to target all the high profile technologists in his address book. The technique to destroy his digital life is trivial. Apple and Amazon are both changing policies that allowed his accounts to be so easily hacked, but in the end, passwords have utterly failed us.

Sadly, many of our policies that we believe increase security (making complex, hard to remember passwords and enforcing that we change them frequently) hurt more than they help. This encourages people to write down passwords, or use passwords that can be determined via social engineering. And for what it is worth, long passwords that are easy to remember are more secure than short passwords, but most systems I’ve seen limit max password length foolishly.

Mixing different characters is trivial for brute force attacks where last year’s technology could crack an 8 character case-sensitive password in 2 hours. If there was a valuable target, you can assemble a temporary super computer via Amazon’s cloud offering to greatly reduce that time. The linked article mentions the super computer could be used for cancer research, but it could likewise be used for nefarious purposes.

Ideally, someone shouldn’t be able to attempt password guesses repeatedly with brute force attacks. But not every system follows best practices, and in the end you’re only as secure as your weakest link. We can try to improve the situation. Google Chrome could offer a feature in their browser to generate a random, difficult password unique to each website or service you use, and store these passwords in a password locker. You then use one password to open the locker, but if that one password is compromised you lose everything. And it doesn’t address the root problem of password resets.

So long as passwords can be reset with commonly accessed knowledge, passwords are inherently insecure. And since so many millions of username/password combinations have been leaked online in the past year, there is a good chance someone can access your accounts without even needing to do a password reset.

Oddly enough, the rise of cloud computing can be both the problem and solution. More and more people have smartphones, and thusly an always connected device. Your phone can be used for what people currently call two-factor authentication, though it arguably isn’t. Google currently supports this if you enable it. You have to type in a password, and a code that is sent to your phone. The problem is that if someone steals your phone, they’ll have access to your email (to do password resets, and your actual phone). This would prevent hackers from remotely accessing your account, or someone trying to access several accounts if they don’t possess the physical phone.

But perhaps the ideal solution is a true two-factor authentication of using biometrics (such as a finger print) on our phones. Either way, we need to move away from passwords.

Avatar of T. J. BrumfieldT. J. is a human being residing on the planet Earth. He enjoys converting oxygen to carbon-dioxide and carbonated beverages to urine. He is tolerated (barely) by a wife and child. If you can't tell by the snark, he doesn't like writing bios. He feels real people aren't easily labeled.
You can follow him on , Facebook, or Twitter unless you're T. J.'s parole officer.

  2 Responses to “Passwords Have Irrevocably Failed”


    As the information that we have in internet-based services becomes more valuable, better security becomes a necessity. But what better methods do we have? I’d be very cautious about using biometrics – it’s not that different from a password. Any biometric reading has to be converted into a code before it is transmitted. So to break into your email, or bank account you would still need a code, rather than a fingerprint or retina. If brute-force hacking is getting faster and easier, then that code is still vunerable (although far better than a standard 8 character password). Not to mention those people for whom biometrics are impossible, who are unable to give a thumb-print or retina scan. What happens to them?

    I’m reminded about an article Shamus Young wrote about piracy, and increasing levels of DRM. The gist of it was that any “always-on” DRM will ultimately fail because you have to transmit game data to the user, which must be unencrypted so that the user can play the game. “The Impossible DRM”


      Biometric security is probably the best option on the table. For someone who lost their hands, or burned their hands and don’t have finger prints, they could use a prosthetic. So long as it was unique and only they used it, it would serve the same purpose.

      I do want to write a piece for the site on DRM at a later date.