5 Reasons Why Passwords Are Useless
This past election season (you were hoping you could forget all about that now, weren't you?) the item with one of the hottest buttons was the release of the DNC's emails by WikiLeaks. It was a complicated political scandal that only the 21st century could bring to us and one where there were very strong feelings on both sides. But no matter what your personal thoughts are, the underlying fact is that someone broke into one of the most powerful governing bodies in the United States and released the information with the intention to cause harm to those implicated. This should be a major wake-up call for all of us; if the DNC can be hacked with so little effort, we're all at risk. Let's take a look at what we're currently counting on to take care of our most personal data AND how absolutely screwed we are.
It Is Alarmingly Easy To Be Hacked
Unfortunately for the DNC and anyone else with an internet connection, becoming a victim of hacking is ridiculously simple. Personal information is stolen by hackers over 100 million times a year, which is a bad day for your average user but a fucking nightmare when you're the front-runner for the Democratic Party. Especially when you're hearing about it from the peanut gallery.
And I don't care which side of this issue you support, whether you're against a blatant violation of someone's private correspondence or if you feel like it was comeuppance for someone you don't personally like. I hate discussing politics. The only time I've ever taken an interest is when I thought someone on TV was complaining about a "pile of ticks" and I thought to myself "Yes, someone should definitely keep an eye on those ticks." But I will say that here, the president-elect is tweeting about yet another thing he knows jack squat about, because the hack is not really a matter of the entire DNC acting carelessly, and you might actually be surprised to know how easily most of it was done. In the case of the famous Podesta leak, for example, a fake but legitimate looking Gmail login page was used to steal user passwords.
This is what a fake Google sign-in page looks like.
This type of "spear phishing" is rapidly becoming the most common way to steal an email user's identity. Since the Hillary campaign used Gmail as their email host, the amount of sensitive information that was swiped was staggering. This just goes to show that you can be one of the most intelligent political minds in the game but an email server is really only as secure as its most naive user.
Passwords And Passphrases Aren't The Best
Some of you may be familiar with passwords. Heck, you might have even used one to log onto this website in order to leave a mean comment below. Right now, pretty much every service you use requires a password. Most sites and services will not allow you to use an easy-to-guess password and instead will make you pick a good password which contains at least eight characters, with at least one uppercase, one lowercase and one number or special symbol. So you can't use 'shrekfan' as a password. Instead, you get creative and use something like $hrekF4n to throw a hacker off the scent.
The scent of a swamp ogre.
Any site worth its weight in Bitcoin will lock you out if you fail to enter the correct password three times, which is a great security measure. But not all sites do it. Hackers know this and they know that most typical users of the World Wide Web will use the same password across a bunch of different websites. So while your banking website will lock hackers out immediately, other sites may not. Hackers can use brute force to guess your password on these less stringent sites and from that will eventually come up with a combination that works with your email. From there, they can probably get into everything. So passwords alone just simply aren't enough.
Just like life in the swamp wasn't enough for Shrek.
Passphrases are similar to passwords, only instead of using letters, numbers and symbols, you would make your code a phrase of random words. These are near impossible to brute-force depending on the length. Take a look at this delightfully colorful chart which works out how long it would take to "guess" a password based on how complicated it is.
Passphrases sound great in theory but they have the same issues that most other forms of password carry: users tend to pick something easy to remember vs. something difficult to guess. If it's easy for you to remember, it's easier for the bad guys to guess. Unfortunately, due to humans being humans, passwords and passphrases don't offer the protection needed to keep your info safe. So what else is there?
Two-Factor And Third-Party Authentication Have Their Holes
Much like one of those movies where a character opens a locked door only to find another locked door behind it, two-factor authentication seems like it should be the best option to annoy a hacker enough to cause them to give up. Services that use two-factor authentication require an additional form of verification before you can log in. Banking websites, for instance, might send you an email with a code that you must enter into the webpage before you can fully log in. This extra step is great (if hackers haven't already compromised your email address) but often times, you made it easy on these cyber punks by using the same password for your banking site and your email account. It's like locking a safe inside your house when the robbers already have a copy of your house keys as well as the keys to the safe.
Plus your Xbox, your cash, and all your important shit is in there!
Sure, two-factor is tough to crack but it is not flawless. And don't think you're safe using text message authentication either, because it can be just as bad. Sometimes, all it takes is a quick call to a mobile provider and some very simple information to convince them who you are and you can have the text messages routed to another phone, simple as that. It may be a far-out there situation but the fact that it can and has happened blows the doors wide open on two-factor authentication.
But maybe the problem isn't with two-factor authentication itself, maybe it's just the way it is currently being utilized. If you can't trust your email and SMS to deliver your second form of authentication, maybe you can trust a third-party device. For instance, if you have a gaming account with Blizzard Entertainment, you have the option to add what is called an "authenticator" to your account for extra security.
Again, like the example of email and SMS, this seems great in theory. As it turns out, though, those authenticators can be easily bypassed, like what happened to this Reddit user and his Blizzard account while he was playing a game. The hacker didn't have a whole lot more than the author's real name, but pair that with some Photoshop trickery and that was all it took to convince Blizzard to change the email address on file and remove the authenticator from the account. Blizzard apparently took responsibility for the mix-up and offered 15 days of game time in addition to no peace of mind for their customer.
Sorry doesn't bring back my Heavenly Onyx Cloud Serpent, you Blizzard fuckbags.
And if you're not the gaming type, a better example would be your place of business and their use of a VPN service with a keychain authenticator which you use to connect from home. Well, before you go thinking you're better than those gaming nerds out there, your company's VPNs have also been proven to be unreliable thanks to the Heartbleed bug a few years ago. Essentially, none of these add-ons to entering a password are reliable enough to be foolproof. So don't get cocky, kid.
Fingerprint Recognition Technology Becomes Weaker With New Technology
Things may seem bleak with the state of virtual security. Passwords can be guessed, humans can err, and hackers are very good at lying to get what they want. But there is one thing you have that no hacker can ever take away: your fingerprints! Unless, of course, they can find some way to physically get your hand and cut the fingers off, but at that point you've got a lot more to worry about than just your PayPal account.
"I'm taking this."
Now that most of your phones and computers have thumbprint recognition built in, apps and services will allow you to set fingerprint recognition to access your phone, shopping apps, and banking sites. While this method is very secure, it too is not foolproof. It may seem like some ridiculous, James Bond-type spy shit, but your thumbprint can actually be stolen, 3D molded and used to access your personal data. Passwords can be changed at any time but your fingerprints have been hardcoded from birth. So if you're one of the unlucky ones who have had your most identifiable feature stolen out from under you, you're pretty much shit out of luck.
Plus, it would be hard to play guitar so what's the point of living anyway?
But if you want to be a fingerprint thief and don't have access to 3D printers or a fingerprint database, you can still just wait until the person you want to spoof is sleeping and use their unconscious hand like this 6-year-old did when she purchased $250 worth of Pokemon merchandise by using her sleeping mother's thumbprint.
Fraud never looked so adorable.
Bonus points if you put the hand in warm water when you're done. Then the victim is out a couple hundred bucks and covered in piss. The ultimate crime!
Facial Recognition Is Okay... For Now
Living in the future has its advantages. Even 20 years ago, the idea that a computer could recognize who was sitting in front of it was something you would only see in a cheap science-fiction movie. Today, your Facebook uses that software every time you upload a new picture. That should terrify the shit out of us but, hey, nobody likes sitting around and tagging friends in massive amounts of photos so I'd say it's a fair trade.
"Why did I take so many goddamn Flag Day pictures?"
In a somewhat more practical use than Facebook, facial recognition is now being used to grant you access to your computer. Computers that are able to utilize Windows Hello! use two separate cameras built into the machine to create a 3D image of your face. This grants you access to your system without having to use the keyboard.
Facial recognition is a great form of security. However, just like I've managed to render every other form of security in this list useless, it can be bypassed or even just straight up fail you. One of the early adopters of the "nifty face noticer" software was Xbox Kinect, and it wasn't without its issues. That is to say, Kinect was a teeny bit racist when it came to noticing the facial features of dark-skinned gamers. Additionally, if your appearance changed a little bit, like maybe you got glasses, grew a beard or put on some weight because all those Kinect exercise apps were lying fucking gimmicks, Kinect would have problems recognizing you anymore.
"I am having trouble recognizing you. Please shave your face, or do some sit-ups."
The technology has come a long way since Kinect and while it is incredibly difficult to bamboozle, modern face recognition has been fooled by using the same tools Facebook uses to automatically tag you and your friends in uploaded photos. By using 3D modeling software and Facebook images of a user's face from several different angles, researchers at the University of Chapel Hill were able to hoodwink four out of the five systems they worked on.
So even though it is fallible, face recognition is surprisingly one of the most protected forms of security out there as the technology needed to enhance this type of lock gets better and better. A research group in Australia even tried tricking Windows Hello! using identical twins. One twin would register their face into the system and the other would try to unlock it. Windows won every time and until someone wastes their time figuring out a way to morph their face into a perfect replicant, I think facial recognition is one of the best ways to secure your sensitive info.
So take that creepy shit somewhere else, you two.
Where does all of this leave us? Well, from the security structures we currently have in our arsenal, passphrases and facial recognition are the two most difficult nuts to crack when hackers get involved. Ideally, if the technology to manufacture more advanced facial recognition software becomes cheaper to make and sell, a combination of passphrase and facial recognition could be the key to locking down important data.
Let's say someone manages to steal your passphrase, or maybe they spend 108,000 years and are eventually able to crack it. If it were paired with face recognition, it wouldn't matter if they have the passphrase or not; you have to be physically sitting in front of your PC in order to unlock it. Is it a perfect system? No. But that's the nature of the art of hacking: to make technology work the opposite way it's supposed to. It means breaking down the secure barriers just to prove that you can. But until the hacking community can crack a super long passphrase while wearing your face, we'll have to consider this the safest we're going to get. Especially when anyone reading this can now do a quick Google search to pull up some 20,000 politically sensitive emails that were supposed to be private.
Now go out there and run for president with confidence! I hear just about anyone is qualified these days.
Erik Germ is a completely different kind of hack that you can follow on Twitter.
Also follow us on Facebook. Trust us.