ALTOM: Passwords are passe, but there’s no good alternative

Mat Honan has a truly chilling article in this month’s Wired magazine (www.wired.com). Honan is a senior writer for Wired. He’s about as informed as any science writer anywhere about online security. But last summer, hackers managed to destroy his digital existence, and do it within about an hour.

All his digital photos, all his e-mails, his tweets—everything taken over, corrupted or deleted. And believe it or not, he was relatively lucky; they didn’t steal the money from his checking account, as often happens.

This sort of takeover is getting more common, and as a creepy bonus, hackers are targeting small businesses. As Honan points out in his article, small business has more money than individuals and fewer security protections than bigger companies. If you’re not scared yet, you probably ought to be.

Honan isn’t optimistic about securing the portal gate, either. His major point in the article is that our usual protective device, the password, is now utterly archaic and should be junked. It can’t be fixed. Even the most supposedly secure password is toast from the time you first use it, because today’s hackers have a veritable arsenal of ways to get through or around any password scheme.

One way security can be overcome is with a purely brute-force attack. There are huge and sophisticated dictionaries used by hackers that will do high-speed comparisons of passwords with known words, even exotic and weird spellings like “R0boC()mPuTer.”

Today’s computing power is so great that ferreting out even the strangest password takes comparatively little time. I remember when companies advised us to fuse together ordinary but unconnected words as a password, like “mentholcoffee” which worked back then, but wouldn’t last an hour under a determined assault today.

Often, the hacker doesn’t even have to work hard. All too many computer users still use the word “password” as their password. Simple guessing can sometimes get a hacker into the deepest recesses of your online life.

That’s bad enough news, but it gets much worse. Because we tend to reuse our passwords, getting one password can give a determined hacker entrée into many more sites.

And complicated, diverse groups of passwords open a new can of worms. Because numerous passwords are hard to remember, online services have methods for letting you retrieve and change your password. Many of those services have roadblocks, such as questions you must answer about your birth city, your mother’s maiden name, or what grade school you attended. Any good hacker can exploit this capability and not only get your password, but change it so you’re locked out.

The problem with even the cleverest challenge question is that many of us put the answers online today in scattered pieces that a patient hacker can reassemble. Facebook, Twitter, LinkedIn, dating services and many more social sites entice us to share things with our friends, customers, prospective mates and colleagues.

Along the way, we mention a lot of personal information that by itself doesn’t seem risky to reveal, but can end up being extremely dangerous in the wrong hands because it allows the hacker to answer those challenge questions. Things only get worse once the hacker has one key site, such as your e-mail, because those places contain ways to jump directly to other sites, like your banking records.

There are steps you can take to make the hacker’s job harder, such as getting rid of personal information online (although it never really goes away entirely); using a separate secure e-mail account just for password resetting; not storing data in the cloud; and using long, convoluted, weird passwords, a different one for each site you use.

But I think Honan is correct: There really is no sure-fire way to keep a hacker out of your business if he’s determined enough. The days of password protection are over, and we’re just afraid to face it. Biometrics like fingerprint scans, which seemed like a good bet to take over from passwords, have proven to be just as fallible and usually tougher to use. And Honan is also right that we’re not going to retreat from the cloud just because security is inherently inadequate. The risk is that we do nothing. Hackers aren’t standing still, and neither can we.•

__________

Altom is an independent local technology consultant. His column appears every other week. He can be reached at taltom@ibj.com.