Password security is broken, say experts

Identity fraud is one of the biggest threats to unwary web users today. It can come in a variety of forms but is often the result of an online account being hacked or details phished via social engineering.

I recently met Jason Hart, former ethical hacker and now managing director of secure authentication firm Cryptocard, who has been banging on for years about how password-based approaches to account authentication are no longer sufficient.

Now, of course, he would say that, given that Cryptocard's job is to sell alternative two-factor-based authentication technology, whether it's via key fob token generators, or passcode-generating software which can be installed on a smartphone.

However, the sheer number of security breaches which have occurred because password security systems have been cracked in the most basic and simple way backs up the two-factor message.

"Why should a [hacker] go to the effort of finding a vulnerability when he could target the password?" Hart told V3.

"The problem has always been there but the reliance of social networks and cloud computing [sites] on passwords has been explosive. Password security is the only thing that impacts confidentiality, integrity, availability, accountability and auditability."

Most retail banks in the UK have got the message and now issue customers with some form of one-time password generating device to try to deny the dedicated fraudster. But problems persist elsewhere. Online cloud-based services have grown to staggeringly high numbers and most of them still use passwords as the primary means of account entry.

Twitter, Facebook, Google and virtually all other web firms have been of the opinion that to do otherwise would be unnecessarily burdensome to the user, incur cost to them and fatally tip the security/usability balance the wrong way so as to actively discourage people from signing up.

Hart, of course, believes this is a narrow minded approach that leaves such firms woefully unable to protect their customers. As an ethical hacker, Hart told V3 he has spent much of his time finding ways to crack password systems, with little difficulty.

Password reset options in particular, as was observed by Trend Micro's Rik Ferguson the other week, can often contain startlingly easy questions, answers to which can be found anywhere online with a little rudimentary digging. And that's assuming that the password was not an easy-to-guess name or even a default word in the first place.

More disturbingly still, Hart said he was able to find the personal details of virtually anyone he needed to online, a technique many hackers use to enhance their chances of success in social engineering attacks.

He gave the example of a hacker who could trawl LinkedIn for new job starters, then email a victim who had just begun a job, pretending to be from the new firm's IT or HR team. It's only a small step from there to persuading the victim to click on a malicious link or volunteer some sensitive financial information.

So where does the responsibility for account security lie? Certainly people need to improve their password habits, but, as Hart argues, passwords really shouldn't be used anymore. However, when it comes to the amount of data routinely placed online by web users, the problem is a little less black and white.

LinkedIn was highlighted by Hart as a particular goldmine of personal information for hackers, the added dimension being that it's professional information and much more valuable to hackers looking to infiltrate an organisation. So does LinkedIn need to up its game and tighten privacy settings? Well, the firm told me in a statement it is "constantly assessing its security and privacy policies to ensure all members have a rewarding and safe experience".

"As a member of LinkedIn, you have full control over what information you share with your connections and beyond," it added.

"Privacy settings allow you to control what information you make available to search engines through your public profile, and to control the messages you receive from LinkedIn and other users. The privacy settings also allow you to control visibility and accessibility throughout the web site."

A pretty unequivocal 'we've done our bit, it's up to the users to do the rest' message, then. But has the balance of responsibility shifted a little too far onto the user? Privacy policies on sites like Facebook have been criticised in the past for being too complicated for the average Joe to work out. While LinkedIn's are a lot simpler than Facebook's, they may still trouble some people, and crucially the firm could do more to publicise them.

As online fraudsters get ever more sophisticated and wise to the opportunities afforded by these huge and as yet still largely untapped pools of personal information, more pressure will come on the platform providers to do a little more.