With almost six months since my last post you may have been fooled in to thinking this blog had died a death. The truth is I’ve just been really busy at work and still am but I had to post about this subject as its really starting to get on my nerves.
Web security, or rather your informations security on the web, is something everyone should be concerned with at all times and yet the majority of my friends not in the tech industry couldn’t give a crap. I’ve witnessed passwords shared across multiple services, passwords written down with the web address and username, passwords as simple as password. It’s all very frustrating when trying to explain why these things are bad to these friends as they have no idea of the scale of the threat.
Up until recently the threat was not actually that widespread, sites being compromised as little as two years ago were usually small communities that impacted relatively small numbers of users. Then LulzSec and Anonymous came along and ostensibly attacked sites they were protesting against but also raising awareness of tools that can be used to attack websites and networks.
The chaos that has ensued was easy to largely ignore until consumer networks starting getting hit.
- Playstation Network is brought down, millions of users personal details are stolen.
- Gawker Media network of websites is attacked, I discover that two of my email addresses were used in accounts I did not sign up for
- Facebook account lists and passwords are published
- my web host DreamHost has its account directory service compromised meaning they have to change passwords on every FTP account
- This week alone LinkedIn has 6.5 million accounts published online and now there are reports of last.fm being compromised
What is at risk then?
Name, Address, Job History, Email Address, Password, Credit card information, date of birth. On their own most of these things aren’t a big deal (credit card info is a big deal!) combine them and you have everything you’d need to steal an identity. If you get in to someone’s primary mailbox you have their life!
When these attacks happen the sites tell you to change your password and reiterate that you should use different passwords on different web sites. It’s not enough. It has been the standard advice for as long as I can remember on the web and has been ignored equally as long. The password as we know it is not secure.
What are the alternatives though? Some sites have multi-factor authentication, usually this means a small keyring sized device is assigned to your account, using pre-defined algorithms on the device and on the authentication server you enter the verification code on the devices screen as well as your password to log in. This is something more recently being offloaded to smartphones making it vastly more accessible to your average user. It means to login you need to remember something (your password) and have something (the smartphone or token device). It does increase security but at the cost of convenience.
Other sites rely on the authentication of OAuth or OpenID vendors like Google, Yahoo, Facebook or Twitter. Not ideal either, these vendors may be better protected from threats but they are constant targets!
We need to rethink our approach to web security as an industry or these attacks will only increase in frequency and severity, my advice is to enable multi-factor authentication on every site you use that offers it, keep all your passwords different (try the advice of this xkcd comic to help you pick memorable passwords), change them frequently and maybe one day there will be a method of authentication that we can trust again.