The security breach heard 'round the Web: Adobe's hacking highlights the human problem with passwords
I can't remember the last time I used a password that didn't resemble the few that I already use on everything from Facebook and Rdio to Netflix and Amazon. It's too hard to imagine and remember complicated passwords, so I've contented myself with a few go-to variations of a simple password that I can easily remember. I'm practically asking to have these accounts compromised, much like a person who wanders around San Francisco with their iPhone in hand is almost begging for their phone to be stolen. And I know I'm not alone.
In October, Adobe revealed that hackers were able to steal the source code for some of its products and access the records of almost 3 million users after breaking into its systems. Then it was revealed that the number of users affected by the breach was closer to 38 million, while independent researchers estimated it might actually approach 150 million. The company is advising users to change their passwords, and it's not the only one: Facebook, Eventbrite, and other companies are all warning their users that the breach could affect their accounts with those services. Meanwhile my editor was locked out of Wordpress, which required him to change his password since he was one of the Adobe victims.
To steal a line from Schoolhouse Rock's musical explainer of the American Revolution: the security breach at Adobe has been heard 'round the Web. Maybe it could renew interest in the ongoing fight to replace human-created passwords with other forms of authentication.
Google "declared war" on the password in January, when the company's vice president of security, Eric Grosse, and engineer Mayank Upadhyay published a research paper arguing that "passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe." They proposed the creation of physical objects, such as rings or flash drives, that would allow their owners to access online services without having to remember a password.
The FIDO Alliance, a consortium created by PayPal and Lenovo to find alternatives to typed passwords, is trying to do something similar. As FIDO co-founder and PayPal chief information officer Michael Barrett told MIT Technology Review in February:
Customers credentials are [today] easily retrievable by criminals by techniques such as password guessing, credential theft at websites or phishing. FIDO is significant because it helps to move us into a world where credentials are much more bound to the device and it’s much harder for the criminal to abscond with them.
Motorola is working on even stranger solutions: Temporary tattoos and swallowable pills that would allow people to act as their own authentication systems. As former DARPA head Regina Dugan said during the D11 conference in May, when she first presented the projects:
[The tattoo] becomes my first superpower. I really want this superpower. It means that my arms are like wires, my hands are like alligator clips. When I touch my phone, my computer, my door, my car, I’m authenticated in.
Then there's the fingerprint scanner built into every iPhone 5s, allowing owners to unlock their phones and purchase new apps, movies, or music from Apple's digital marketplaces without having to enter a password or passcode. The device isn't perfect -- owners often complain about the device's ability to reliably recognize their fingerprints -- and is currently limited, but it's also one of the first consumer technology devices to make fingerprint scanning an integral aspect of the device.
Until these authentication tools leave the research lab, we're left with two choices: We can either continue to use the same password (or variations thereof) across multiple websites, or we can allow tools like 1Password, LastPass, and the like to create strong passwords unique to each service. Given the increasing worry with which companies like Facebook are regarding the Adobe security breach -- largely because it knows that at least some users relied on the same password for both services -- trusting these apps to create unique passwords seems like a far better option.
Relying on these services won't come without a cost. Typing a short, insecure password is often quicker than clicking and tapping around an app that stores and supplies login credentials on command. Not knowing your passwords might become a problem when these services fail, disappear, or are themselves compromised. The pills that Motorola is working on and the fingerprint scanner Apple is trying to perfect won't feature such limitations, but they're not yet able to become the primary way through which we access our many devices and services.
This won't solve all of our security woes. The hackings of Wired's Mat Honan and PandoDaily's own Adam Penenberg show that determined hackers can use all kinds of tools to gain access to our digital lives. (Examples include "misplaced" thumb drives, seemingly innocent requests to use a computer for some innocuous task, and "social engineering" that turns customer representatives at companies like Apple and Amazon into particularly helpful accomplices.)
But using strong, unique passwords could still help users keep their information secure, as Adobe's security breach shows. It's a bit like my colleague David Holmes' argument that companies and consumers should still encrypt their data even though the NSA has reportedly sought to weaken encryption standards:
[...] without robust encryption standards, there’s no way to keep large tech companies accountable for their data. Google and Yahoo can simply say, 'We didn’t know!' like a man who 'accidentally' leaves the backdoor unlocked, so a murderer can kill his wife, and they can split the insurance money. If the doors are dead-bolted, and the NSA still gets in, then we know something’s not right. But we shouldn’t let companies hide behind incompetency and the notion that 'encryption doesn’t matter.'
There are plenty of ways that passwords can be weakened. Companies could use weak encryption, transmit the data in an insecure way, or allow someone to reset the password with little more than a phone call and some publicly-available information. But using the same password across a variety of sites and then hoping that the exposure of that password won't lead to serious problems is foolish at best.
Passwords aren't perfect, but their biggest problem isn't technical: it's us. The fallout from Adobe's security breach makes that clear, and might finally help attempts to replace passwords receive the attention they need so that we might eventually be swallowing pills, getting tattoos, and relying on our thumbs to access our digital lives.
Those tools won't come without their own drawbacks -- key among them the fact that a password can be changed but a fingerprint can't be -- but they will likely be more secure than "nathaniel1234" or "applemotts" would be.
We've already trusted much of our lives to technology. Maybe it's time to trust those same technologies to keep us secure. We've proven that we're incapable of doing so ourselves -- could the machines fare better? That's what much of this research seeks to answer, and what many might be wondering as this security breach continues to make headlines and affect much of their digital lives.