Categories: SecurityWorkspace

All Hail The Death Of Usernames And Passwords

You can tell that this title wasn’t written by my PR people. Apparently, the association with notions of death represents a “reputational risk.” Well, thanks guys, but I’m sticking to my guns on this one, because the Internet is about to witness a demise so decisive that death is the only appropriate word for it.

I’m not talking some Lehman-style corporate collapse here, I’m talking about the end of the way we have interacted with transactional websites (and, indeed, the way cybercriminals have exploited them) for two decades or more. Ladies and gentlemen, I give you…. the username and the password. RIP guys.

At this point, you’re trying to work out if I’m misguided, a visionary, or just plain nuts. Usernames and passwords are such a fundamental part of our daily behaviour that nobody can seriously imagine them not being there. They are just too big to fail. Yeah, and so were the banks.

How logins ‘incite cybercrime’

In fact, username and password have failed already – and very publicly and embarrassingly. Just a few weeks ago, Yahoo, Nvidia, Billabong and others (and, a few weeks prior to that, LinkedIn) all admitted sheepishly to having usernames and passwords swiped from their sites by hackers, compromising thousands and thousands of user accounts.

I wrote about this in my blog at the time (http://privatesky.me/blog/). Websites the world over store their users’ username and password data in a file on the site itself. This means that these sites are a natural target for hackers, because all the really juicy stuff is in one place. Let’s be clear about this: the username/password model is positively inciting cybercrime. And it is up to us, the good burghers of internetland, to make it pay for its misdemeanours with its life.

But what’s the alternative? After all, the user has to identify themselves in some way or other. I’ve wasted too much time glaring into uncooperative machines at airports to trust biometrics, and electro-magneto-spiritual life-essence detection would be cool but I haven’t invented it yet. So I’m going to resort to old-school cryptospeak and nail my colours to the two-factor authentication mast.

Here’s how it works. Two-factor authentication means that you have to have something (a physical thing) and know something (a secret) at the same time, in order to be able to authenticate yourself. Real-world example: cash machine. You have something (the card) and you know something secret (the PIN). The card is useless without the PIN. The PIN is useless without the card, and the card doesn’t store the PIN in any way. It’s about as secure as it gets.

Online, it all hinges on how we use the user’s identity. What Yahoo and all the other guys who got hacked were doing was using a fixed correlation between username and password to establish identity. Because it was fixed, it had to be mapped somewhere. The system had to have a documented list, in which usernames went with which passwords, so that the login script could look them up. This is the positively Tolkienesque single point of failure that cybercriminals love. “One ring to rule them all,” and whatnot.

But what if the user’s authentication were powered by something more substantial than a childish game of snap with usernames and passwords? What if the user’s email address was converted into ASCII (American Standard Code for Information Interchange – a character encoding technique) and then hashed to produce an identity-based secret in the form of a numerical string?

Sounds great. But you’ve got to have a minimum of two authentication factors, right? OK, so let’s take a leaf (for once) out of the banks’ book, and use a PIN. Only the user knows the PIN, which effectively turns the user’s cryptographic secret into a “token.” The token is the thing that the user has, even if they don’t actually see it. Token plus PIN equals identity-based secret, which is used as a fixed generator in an authentication protocol – but neither can be reverse-engineered to reveal the other, because the relationship between them does not work in both directions.

Now this is where things can start to get very mathematically heavy, so I’m going to focus on outcomes rather than integers. What this means is that websites have no further need whatsoever to store user login information on the site. The traditional, mapped 1-to-1 relationship between username and password is obsolete. It’s not a login, it’s an ex-login. It’s only there because Yahoo and others nailed it there (in a big old file.) It has shuffled off this mortal web. Mortus est.

Bringer of death, me? You betcha.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • Just the fact that we are still living in a password world is annoying. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. People need to understand that neither the strength of your password or having it locked-up in Fort Knox will mean anything when it is stolen from the source! The only real solution is to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

  • I think that there definitely needs to be a more secure method introduced to stop hackers getting hold of passwords. Surely companies as big as Yahoo should be able to do this.

  • Computers are used in a variety of environments. Many users need access fast; to step up to a keyboard & use it. Passwords are so slow. More practical in these cases to switch off a screen saver & switch on a keyboard when a physical token (Eg a RFID chip) appears & authorises access?
    The real deterrent to wrongdoing is human action. An effective way of increasing hackers' unease might be to display a picture of the legitimate user for the interest of passersby.

  • The two factor authentication model you speak of sounds exactly what RSA does. Unfortunately, RSA got hacked not too long ago and the hackers have the keys to the two-factor random seed algorithm :-/

    Secondly, the old id/pass model is here to stay. Companies and end users don't feel like caring around a dongle, a tin card or any other physical device to authenticate to non-critical accounts like Yahoo mail. The hassle and expense for a two-factor solution for this is simply not worth it.

    The best solution is to force rotation of passwords every 30 days for non-critical and non-financial based systems and a two factor model for the financial world as most financial institutions already do, but they don't seem to force the rotation of passwords so the two factor idea is almost as insecure as the old id/pass model if hackers gain access to the random seed file of the token based system as in RSAs case.

  • "What if the user’s email address was converted into ASCII (American Standard Code for Information Interchange – a character encoding technique) and then hashed to produce an identity-based secret in the form of a numerical string?"

    you clearly have no grasp of the subject... where to even begin

  • Sorry, I really do not understand the point of this article.

    There are 2 separate issues, 1 - the end user experience (have a look at: http://xkcd.com/936/ for an entertaining but enlightening example about choice of passwords) and 2 - how a site validates the user credentials (it always involves storing something and the real issue is around how the data is stored).

    Was the article about the former or the latter? A PIN is never as secure as a password and the banks I use normally use a number of secrets / semi-secrets in lieu of a physical token.

    Note that a 30 day roll over just makes it harder to remember the password, particularly if used in several sites. Such a policy just causes people to use sequences or write things down (stronger policy = weaker security). A better alternative is to use mutual SSL, but usability remains a huge problem.

  • Sorry, correct me if I'm wrong but the PIN code you're using IS stored on your card. It's encrypted but still, it's there. Otherwise, how would you be able to pay for an airline ticket by Credit Card through an off-line procedure in say Cameroun, Chad, or Central African Republic (this all is in Africa)??

    Connections there are quite slow and not necessary for credit cards. The machine verifies your card and PIN, stores the transaction and uploads it to the company once a day, or week depending on the connection.

    If you type in the wrong PIN, the machine refuses the transaction. Conclusion, PIN is on the card.

    And it is for this very reason we have to be aware for "skimming" when you swipe your card.

  • This is the worst piece of journalism I've ever read, and I'm an avid reader and I studied journalism for a couple of years. You have zero idea what you're talking about. Equally I have zero idea what you are talking about.

    Ive been an IT security consultant for 15 years and your ignorance is breathtaking. Pretty much everything you said was wrong. But heres a few points to ponder

    1. Websites (good ones) dont store usernames and passwords on the web server. User accounts should be stored away from this machine, away from the DMZ for this machine, on the other side of an internal firewall. The hacks you mentioned were not caused by passwords as authentication. They were probably caused by poorly maintained infrastructure and poor application security for the websites.

    2. Two Factor Authentication uses something you know pretty much always (2FA is a very strong control btw). Something you know. Hmmm, like a password? If I try to understand the benefit of replacing a long, complex password with a four digit pin my head will explode.

    3. I'm no expert on card security, but isnt the pin held on the card and hashed?

    4. ASCIIAIIIIIIIIIIIIIIIIEEEEEEEEEEEE!!!?????? WHAT????

    You should not be writing about IT, shame on you and your ignorance.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago