Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

1.2 billion stolen login details put a spotlight on the broken password system

Created: 06 Aug 2014 14:27:42 GMT • Updated: 08 Aug 2014 07:21:42 GMT • Translations available: 日本語, Português, Español
Laura O'Brien's picture
+2 2 Votes
Login to vote

STOLEN_PASSWORDS_HEADER.jpg

A recent report claimed that a Russian cybercrime group stole 1.2 billion user names and passwords from 420,000 websites. The breaches reportedly affect a huge variety of entities ranging from Fortune 500 firms to very small sites. The affected sites weren’t identified, as many of them are still vulnerable to attack.

The group allegedly managed to obtain these details by using botnets to probe websites for vulnerabilities. The report states that when one of the botnet’s infected computers visits a website, the attackers force the computer to carry out an SQL injection attack on the site to see if it contains vulnerabilities. If the site is vulnerable, then the attackers take note of the website and return at a later time to steal information from the site’s database.

The attackers have reportedly not sold many of the stolen details online and have instead used the information to send spam messages on social networks. Still, this information could be of great value to other cybercriminals. If people reused their passwords on other services, then attackers could use the information to compromise other accounts and obtain further sensitive information about the victim.

The problem with passwords
This reported incident shows once again how broken the current password system is. It’s too easy to reuse passwords across countless websites or create easy-to-guess passwords. As a result, if an attacker manages to gain access to the user’s login credentials by breaching a website, they could potentially use the details to gain unauthorized access to several other online accounts.

Even the news of major vulnerabilities isn’t enough to convince most users to change their passwords. A recent report from the Pew Research Center stated that less than four out of ten people who knew about the Heartbleed vulnerability changed their passwords in response to the bug.

Rather than blame the user, it may be better to look at ways to improve how we authenticate ourselves when using online services. And considering how quickly consumer and business technology has been evolving in recent years, now may be the perfect time to act.

Mobile authentication
The proliferation of smartphones has helped to boost the popularity of two-factor authentication. Once the user logs in with their password, they check an email, SMS message, or mobile app for their second temporary authentication code. This means that even if a user’s password is compromised, an attacker would still need to gain access to the second authentication method to break into the targeted account.

The next step for logging in securely appears to be biometric authentication. While this technology has existed for a while now, Apple brought it to the masses by introducing a fingerprint sensor on its iPhone 5S last year. Users can unlock their phone or authenticate iTunes purchases by placing their finger on the home button. Other smartphone manufacturers implemented this feature on their devices and in June, Apple opened up the feature to all apps, helping the technology spread even further.

Biometric authentication on smartphones isn’t only about fingerprints. A Samsung executive recently said that the company is looking into making devices that detect the user’s irises to identify them.

The future of authentication
Authentication won’t stop there, as researchers are continuously looking at new ways to revolutionize the system. Last year, Regina Dugan, head of the Advanced Technology and Projects group at Google, suggested that a tattoo or ingested pill could authenticate a user. The user would only need to touch their device - or even their car or front door – to unlock it.

A company spun out from Oxford University is also working on a new authentication system. Oxford BioChronometrics’ system measures countless different behaviors that a user carries out when they interact with their device. This could include how the user tilts their phone when they type, their scrolling speeds, their mouse movements, and more. The system combines this information to make up a user’s “electronically Defined Natural Attributes (eDNA)”, which are then used to authenticate the user. 

Cambridge University scientist Frank Stajano believes that he has another answer to the password problem in the form of an electronic aura. In this system, the user wears an accessory or has an implant under the skin that generates an electronic aura. This aura would extend to two or three feet around a person’s body and its signals would only let devices belonging to the user work. As a result, a person could unlock their car with a key fob within this field, but if the key fob falls out of this field, it won’t work. Stajano is also working on a device called the pico which stores a countless amount of different passwords for online services. This device would only work within the electronic aura.

Protecting your information
It may be some time before these ambitious authentication projects become a reality. For now, Symantec advises users to safeguard their online information from attackers in the following ways:

  • Always use strong passwords and never reuse them across other websites.
  • Enable two-factor authentication on websites that provide it. Symantec’s Validation and ID Protection (VIP) Service lets enterprises implement both two-factor and risk-based token-less authentication.
  • Consider using a password manager, such as Norton Identity Safe, which securely stores different passwords for online services.