All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
This article was taken from the January 2013 issue of Wired magazine. Be the first to read Wired's articles in print before they're posted online, and get your hands on loads of additional content by <span class="s1">subscribing online.
You have a secret that could ruin your life. It's not a well-kept secret, either. Just a string of characters -- maybe six if you're careless, 16 if you're cautious -- that can reveal everything.
Your email. Your bank account. Your address and credit-card number. Photos of your kids or, worse, of yourself, naked. The precise location where you're sitting right now as you read these words. Since the dawn of the information age, we've bought into the idea that a password, so long as it's elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that's a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker -- or someone who takes you for one.
No matter how complex or unique, your passwords can no longer protect you.
Look around. Leaks and dumps -- hackers breaking into computer systems and releasing lists of usernames and passwords on the open web -- are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal login, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer-service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that's publicly available on one service to gain entry into another.
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust -- seven, ten and 19 characters respectively, all alphanumeric, some with symbols thrown in as well -- but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle:
@mat. As a three-letter username, it's considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I'd ever taken of my 18-month-old daughter.
[pullquote source="KeepInline]
Since that awful day, I've devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let's say you're on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that's easy to find in the age of Google. With that, AOL gives me a password reset and I can log in as you.
So, what's the first thing I do? Search for the word "bank" to figure out where you do your online banking. I go there and click on the "Forgot Password?" link. I get the password reset and log in to your account, which I control. Now I own your bank account as well as your email.
This summer I learned how to get into, well, everything. With two minutes and $4 (£2.50) to spend at a sketchy foreign website, I could report back with your credit card, phone number, and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, [link url="https://www.wired.co.uk/topics/microsoft"]Microsoft[/link] and [link url="https://www.wired.co.uk/news/archive/2012-12/05/netflix-becomes-disney-distributor"]Netflix[/link]. With yet ten more, I could take over your AT&T, Comcast, and Verizon. Give me 20 -- total -- and I own your PayPal. Some of those security holes are plugged now. But not all -- and new ones are discovered every day.
The common weakness in these hacks is the user's password. It's an artefact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account and clearing you out. The age of the password has come to an end; we just haven't realised it yet.
Passwords are as old as civilisation. And for as long as they've existed, people have been breaking them.
In 413 BC, at the height of the Peloponnesian War, the Athenian general Demosthenes landed in Sicily with 5,000 soldiers to assist in the attack on Syracuse. Things were looking good for the Greeks.
Syracuse, a key ally of Sparta, seemed sure to fall.
But during a chaotic nighttime battle at Epipole, Demosthenes's forces were scattered, and while attempting to regroup they began calling out their watchword, a prearranged term that would identify soldiers as friendly. The Syracusans learned of the code and passed it quietly through their ranks. At times when the Greeks looked too formidable, the watchword allowed their opponents to pose as allies. Employing this ruse, the Syracusans decimated the invaders, and when the Sun rose, their cavalry mopped up the rest. It was a turning point in the war.
The first computers to use passwords were likely those in [link url="https://www.wired.co.uk/search?q=MIT"]MIT[/link]'s Compatible Time-Sharing System (CTSS), developed in 1961. To limit the time any one user could spend on the system, CTSS used a login to ration access. It only took until 1962 when a PhD student named Allan Scherr defeated the login with a simple hack: he located the file containing the passwords and printed out all of them. After that, he got as much time as he wanted.
During the formative years of the web, passwords worked pretty well. This was due largely to how little data they actually needed to protect. Our passwords were limited to a handful of applications: an ISP for email and maybe an e-commerce site or two.
Because almost no personal information was in the cloud -- the cloud was barely a wisp at that point -- there was little payoff for breaking into an individual's accounts; the serious hackers were still going after big corporate systems. So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts -- the number of failure points -- grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud and doing our taxes in the cloud. We stashed our photos, our documents, our data in the cloud.
Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the "strong" password. It's the compromise that web companies came up with to keep people signing up and entrusting data to their sites. It's the sticking plaster that's being washed away in a river of blood.
[Quote"]Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account and clearing you out[/pullquote]
Every security framework needs to make two major trade-offs to function in the real world. The first is convenience: the most secure system isn't any good if it's a pain to access. A 256-character hexadecimal password might keep your data safe, but you're no more likely to get into your account than anyone else.
Better security is easy if you're willing to inconvenience users, but that's not a workable compromise.
The second trade-off is privacy. If the whole system is designed to keep data secret, users will hardly stand for a security regime that shreds their privacy. Imagine a safe that has no key or a password, because security techs are in the room, watching it 24/7, and they unlock the safe whenever they see that it's you. Without privacy, we could have perfect security, but no one would accept a system like that.
For decades now, web companies have been terrified by both trade-offs. They have wanted the act of signing up and using their service to seem both totally private and perfectly simple - the very state of affairs that makes adequate security impossible. So they've settled on the strong password as the cure. Make it long enough, throw in some caps and numbers, and everything will be fine.
But for years it hasn't been fine. In the age of the algorithm, when our laptops pack more processing power than a high-end workstation did a decade ago, cracking a long password with brute-force computation takes just a few million extra cycles.
That's not even counting the new hacking techniques that simply steal our passwords or bypass them entirely -- techniques that no password length or complexity can ever prevent. The number of data breaches in the US increased by 67 per cent in 2011, and each major breach is enormously expensive: after Sony's PlayStation account database was hacked in 2011, the company had to shell out $171 million to rebuild its network and protect users from identity theft. Add up the total cost, including lost business, and a single hack can become a billion-dollar catastrophe.
How do our online passwords fall? In every imaginable way: they're guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger or reset by conning a company's customer-support department.
Let's start with the simplest hack: guessing. Carelessness, it turns out, is the biggest security risk of all. When security consultant Mark Burnett compiled a list of the 10,000 most common passwords based on easily available sources (such as passwords dumped online by hackers and simple Google searches), he found the number-one password people used was, yes, "password". The second most popular? "123456". Free software tools with names such as Cain and Abel or John the Ripper automate password-cracking to such an extent that any idiot can do it. All you need is an internet connection and a list of common passwords -- readily available in handy database formats.
What's shocking isn't that people still use such terrible passwords, it's that some companies allow it. The same lists that can be used to crack passwords can also be used to make sure no one is able to choose those passwords in the first place. But saving us from our bad habits isn't nearly enough to salvage the system.
Our other common mistake is password reuse. During the past two years, more than 280 million "hashes" (encrypted but crackable passwords) have been dumped online for everyone to see. LinkedIn, Yahoo!, Gawker and eHarmony all had security breaches in which the usernames and passwords of millions of people were stolen and then dropped on the open web. A comparison of two dumps found that 49 per cent of people had reused usernames and passwords between the hacked sites. "Password reuse is what really kills you," says Diana Smetters, a software engineer at Google who works on authentication systems. "There is a very efficient economy for exchanging that information." Your login may have already been compromised, and you might not know it -- until an account is destroyed.
Hackers also get our passwords through trickery. The most well-known technique is phishing, which involves mimicking a familiar site and asking users to enter their login information.
Steven Downey, CTO of Shipley Energy in Pennsylvania, describes how this technique compromised the online account of one of his company's board members. The executive had used a complex alphanumeric password to protect her AOL email, but was tricked into freely giving it up.
The hacker phished his way in: he sent her an email that linked to a bogus AOL page, which asked for her password. She entered it.
After that he did nothing. At first, that is. The hacker just lurked, reading all her messages and getting to know her. He learned where she banked and that she had an accountant who handled her finances. He even learned her electronic mannerisms, the phrases and salutations she used. Only then did he pose as her and send an email to her accountant, ordering three separate wire transfers totalling $120,000 (£74,000) to a bank in Australia. Her bank at home sent $89,000 (£55,000) before the scam was detected.
Even more sinister is malware: hidden programs that secretly send your data to other people. According to a Verizon report, malware attacks accounted for 69 per cent of US data breaches in 2011. Malware commonly installs a keylogger or some other spyware. Its targets are often large organisations, where the goal is not to steal one or a thousand passwords, but to access an entire system.
One example is ZeuS, a piece of malware that first appeared in 2007. Clicking a link, usually in a phishing email, installs it on your computer. Then it waits for you to log in to an online banking account: ZeuS grabs your password and sends it to the hacker. In a single case in 2010, the FBI helped apprehend five people in Ukraine who had employed ZeuS to steal $70 million from 390 victims, primarily small businesses in the US. "Hackers are going after small businesses," says Jeremy Grant, who runs the US Department of Commerce's National Strategy for Trusted Identities in Cyberspace, which is figuring out how to get us past the current password regime. "They have more money than individuals and less protection than large corporations."
If our problems with passwords ended there, we could probably save the system. We could ban poor passwords and discourage reuse.
We could train people to outsmart phishing attempts. We could use antivirus software to root out malware.
But we'd be left with the weakest link of all: human memory.
Passwords need to be hard in order not to be routinely cracked or guessed. So if your password is any good at all, there's a very good chance you'll forget it. Because of that, every password-based system needs a reset mechanism. And the inevitable trade-offs (security vs privacy vs convenience) mean that recovering a forgotten password can't be too onerous. That's what opens your account to being easily overtaken via social engineering. Although "socialing" was responsible for just seven per cent of the hacking cases that US government agencies tracked in 2011, it raked in 37 per cent of the total data stolen.
Socialing is how my Apple ID was stolen this past summer. The hackers persuaded Apple to reset my password by calling the help-line and using my address details and the last four digits of my credit card. As I had designated my Apple mailbox as a backup for my Gmail account, the hackers could reset that too, deleting eight years of email and documents. They posed as me on Twitter and posted racist and anti-gay diatribes there.
After my story set off a wave of publicity, Apple changed its practices: it temporarily quit issuing password resets over the phone. But you could still get one online. And so a month later, a different exploit was used against New York Times technology columnist David Pogue. The hackers were able to reset his password online by getting past his "security questions".
To reset a lost login, you need to supply answers to questions that (supposedly) only you know. Pogue had picked (1) What was your first car? (2) What is your favourite model of car? and (3) Where were you on January 1, 2000? Answers to the first two were available on Google: he had written that a Corolla had been his first car, and had recently praised his Toyota Prius. The hackers simply took a wild guess on the third question: "party". Lots of people use that one.
With that, the hackers were in. They dove into his address book (he's pals with magician David Blaine!) and locked him out of his kitchen iMac.
You might think "that could never happen to me": David Pogue is a prolific writer for the major media whose every brainwave goes online. But have you thought about your LinkedIn account? Your Facebook page? Your kids' pages or your friends' or family's? If you have a serious web presence, your answers to the standard questions - still often the only options available - are trivial to root out. Your mother's maiden name is on Ancestry.com, your school mascot is on Classmates, your birthday is on Facebook and so is your best friend's name.
The ultimate problem with the password is that it's a single point of failure, open to many avenues of attack. We can't possibly have a password-based security system that's memorable enough to allow mobile logins, nimble enough to vary from site to site, convenient enough to be easily reset and yet also secure against brute-force hacking. But today that's exactly what we're banking on.
Who is doing this? The answer breaks down into two main groups: syndicates and bored teenagers.
The syndicates are scary because they're efficient and wildly prolific. Malware and virus-writing used to be something hobbyist hackers did for fun. Not any more. Sometime around the mid-2000s, organised crime took over. Today's virus writer is more likely to be a professional criminal operating out of the former Soviet Union than some kid in a university dorm room. There's a good reason for that: money. In 2011 Russian-speaking hackers alone made an estimated $4.5 billion (£2.7 billion) from cybercrime -- no wonder the practice has become organised. Moreover, they are targeting not just businesses and financial institutions, but individuals too. Russian cybercriminals took in tens of millions of dollars from individuals last year.
But teenagers are, if anything, scarier, because they're so innovative. The groups that hacked David Pogue shared a common member: a 14-year-old who goes by the handle "Dictate". He calls companies or chats with them online, asking for password resets. He and others like him start by looking for information about you that's publicly available: your name, email and home address, for example, which are easy to get from sites like Spokeo and WhitePages.com. Then he uses that data to reset your password in places such as Hulu and Netflix, where billing information, including the last four digits of your credit-card number, is kept visibly on file. Soon, through patience and trial and error, he'll have your email, your photos, your files -- just as he had mine.
Why do kids like Dictate do it? Mostly just for lulz. One favourite is to anger people by posting racist or offensive messages on their personal accounts. As Dictate explains, "Racism invokes a funnier reaction in people. Hacking, people don't care.
When we jacked @jennarose3xo [AKA Jenna Rose, a teen singer whose videos got widely hate-watched in 2010], I got no reaction from just tweeting that I jacked her stuff. We got a reaction when we uploaded a video of some black guys and pretended to be them." Apparently, sociopathy sells.
A lot of these kids came out of the Xbox hacking scene, where the networked competition of gamers encouraged kids to learn cheats to get what they wanted. In particular they developed techniques to steal so-called OG (original gamer) tags -- the simple ones, such as "Dictate" instead of "Dictate27098" -- from the people who'd claimed them first. One hacker was " Cosmo" -- one of the first to discover many of the most brilliant socialing exploits out there, including those used on Amazon and PayPal. ("It just came to me," he said with pride when I met him a few months ago at his grandmother's house in southern California.) In early 2012, Cosmo's group, UGNazi, took down sites including Nasdaq, the CIA and 4chan. When the FBI finally arrested this shadowy figure in June, they found that he was just 15 years old; when he and I met a few months later, I had to drive.
It's precisely because of the relentless dedication of kids such as Dictate and Cosmo that the password system cannot be salvaged.
You can't arrest them all, and even if you did, new ones would keep growing up.
For the same reason, many of the silver bullets that people imagine will supplement -- and save -- passwords are vulnerable as well. For example, in March 2011 hackers broke into the security company RSA and stole data relating to its SecurID tokens, supposedly hack-proof devices that provide secondary codes to accompany passwords. RSA never divulged just what was taken, but it's widely believed that the hackers got enough data to duplicate the numbers the tokens generate. If they also learned the tokens' device IDs, they'd be able to penetrate the most secure systems in corporate America.
On the consumer side, take Google's two-factor authentication for Gmail. It works like this: first you confirm a mobile-phone number with Google. After that, whenever you try to log in from an unfamiliar IP address, the company sends a code to your phone: the second factor. Does this keep your account safer? Absolutely. Will it save passwords from obsolescence? Let me tell you about what happened to Matthew Prince.
[Quote##We've entrusted everything we have to a broken system.
The first step is to acknowledge that fact. The second is to fix it##]
This past summer UGNazi decided to go after Prince, CEO of a web performance and security company called CloudFlare. They wanted to get into his Google Apps account, but it was protected by two-factor -- so the hackers hit his AT&T mobile-phone account.
As it turns out, AT&T uses US Social Security numbers essentially as an over-the-phone password. Give the carrier those nine digits -- or even just the last four -- along with the name, phone number and billing address on an account and it lets anyone add a forwarding number to any account in its system. And getting a Social Security number (SSN) these days is simple: they're sold openly online.
Prince's hackers used the SSN to add a forwarding number to his AT&T service, and then made a password-reset request with Google. So when the automated call came in, it was forwarded to the them -- Voilà! Prince's account was theirs, with just a little extra effort.
Despite the scale of the password crisis, there isn't yet a replacement. What we can say is that access to our data can no longer hinge on secrets. The internet doesn't do secrets. Everyone is a few clicks away from knowing everything.
Instead, our new system will need to hinge on who we are and what we do: where we go and when, how we act when we're there. And each account will need to cue off many such pieces of information, not just one or two.
This last point is crucial. Two factors should be a bare minimum. Think about it: when you see a man on the street and think it might be your friend, you don't ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does his voice sound the same? Is he in a place he's likely to be? If many points don't match, you might not believe his ID; you'd just assume it was fake.
The future of online identity verification may include passwords, but it will no longer be a password-based system. The password will be just one token. Jeremy Grant of the US Department of Commerce calls this an identity ecosystem.
What about biometrics? Could a fingerprint reader or iris scanner be what passwords used to be: a single-factor solution, an instant verification? They have two inherent problems. First, the infrastructure to support them doesn't exist, a chicken-or-egg issue that almost always spells death for a new technology. Because fingerprint readers and iris scanners are expensive and buggy, no one uses them; because no one uses them, they never become cheaper or better.
The second, bigger problem is also the Achilles' heel of any one-factor system: a fingerprint or iris scan is a single piece of data, and single pieces of data will be stolen. Dirk Balfanz, a software engineer on Google's security team, points out that pass-codes and keys can be replaced, but biometrics are forever: "It's hard for me to get a new finger if my print gets lifted off a glass," he jokes. In the age of HD photography, using your face or your eye or even your fingerprint as a one-stop verification just means that anyone who can copy it can also get in.
Does that sound far-fetched? It's not. Kevin Mitnick, the fabled social engineer who spent five years in prison for his hacking heroics, now runs his own security company, which gets paid to break into systems and then tell the owners how it was done. In one recent exploit, the client was using voice authentication. To get in, you had to recite a series of randomly generated numbers, and both the sequence and the speaker's voice had to match. Mitnick called his client and recorded their conversation, tricking him into using the numbers zero through nine in conversation, which he then used to trick the system. Simple.
None of this is to say that biometrics won't play a crucial role in future security systems. Devices might require a biometric confirmation to use them, and they will help to identify you: your computer or a remote website you're trying to access will confirm a particular device -- verifying something you are and something you have. But if you're logging in to your bank account from an unlikely place -- say, Lagos, Nigeria -- then you may have to go through a few more steps. Maybe you'll have to speak a phrase into the mic and match your voiceprint. Maybe your phone's camera snaps a picture of your face and sends it to three friends, one of whom has to confirm your identity before you can proceed.
In many ways, our data providers will learn to think somewhat like credit-card companies do today: monitoring patterns to flag anomalies. "A lot of what you'll see is that sort of risk analytics," Grant says. "Providers will be able to see where you're logging in from, what kind of operating system you're using."
Google is already pushing in this direction, examining each login and how it relates to the previous one in terms of location, device and other signals the company won't disclose. If it sees something aberrant, it will force a user to answer questions about the account. "If you can't pass those questions," Smetters says, "we'll tell you to change your password - because you've been owned."
The way forward is real-identity verification: to allow our movements and metrics to be tracked and tied to our actual identity. We are not going to retreat from the cloud, so we need a system that makes use of what the cloud already knows: who we are.
That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. But times have changed. We've entrusted everything we have to a broken system. The first step is to acknowledge that fact. The second is to fix it.
A Password hacker in action
The following is from a January 2012 live chat between Apple online support and a hacker posing as "Brian" -- a real Apple customer. The hacker's goal: resetting the password and taking over the account.
Apple: Can you answer a question from the account? Name of your best friend?
Hacker: I think that is "Kevin" or "Austin" or "Max".
None of those answers are correct. Do you think you may have entered last names with the answer?
I don't think so. I've provided the last four [card-card numbers], is that enough?
The last four are incorrect. Do you have another credit card?
Can you check again? I'm looking at my Visa here, the last four is "5555".
Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?
Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.
You want to try the first and last name for the best friend question?
Be right back. The chicken is burning, sorry. One second.
OK.
Here, I'm back. I think the answer might be Chris? He's a good friend.
I am sorry, Brian, but that answer is incorrect.
Christopher Aylsworth is the full name. Another possibility is Raymond McAlister.
Both of those are incorrect as well.
I'm just gonna list off some friends that might be. Brian Coca. Bryan Yount. Steven May...
How about this. Give me the name of one of your custom mail folders. "Google" "Gmail" "Apple" I think. I'm a programmer at Google.
OK, "Apple" is correct. Can I have an alternate email address for you?
The alternate email I used when I made the account?
I will need an email address to send you the password reset.
Can you send it to "toe@aol.com"?
The email has been sent.
Thanks!
How to survive the password apocalypse Until we figure out a better system for protecting our stuff online, here are four mistakes you should never make -- and four moves that will make your accounts harder (but not impossible) to crack.
Don't - Reuse passwords. If you do, a hacker who gets into just one of your accounts will own them all. - Use a dictionary word as your password. If you must, then string several together into a pass phrase. - Use standard number substitutions. Think "P455w0rd" is a good password? N0p3! Cracking tools now have those built in. - Use a short password no matter how weird.
Today's processing speeds mean that even passwords like "h6!r$q" are quickly crackable. Your best defence is the longest possible password.
Do - Enable two-factor authentication when offered.
When you log in from a strange location, a system such as this will send you a text message with a code to confirm. Yes, that can be cracked, but it's better than nothing.
- Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a "Camper Van Beethoven Freaking Rules".
- Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
- Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that's a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn't tied to your name -- such as m****n@wired.co.uk -- so it can't be easily guessed.
Mat Honan is a senior writer for the US edition of wired
This article was originally published by WIRED UK
