The Username/Password System Is Broken: Here Are Some Ideas for Fixing It

  • Share
  • Read Later
Jared Newman for TIME

Imagine if, in an instant, all the files on your computer vanished, along with all your e-mails and online backups, and therefore any chance of getting those files back. That’s what happened to tech writer Mat Honan, after a hacker broke into his Google and Apple accounts and wiped them clean.

Honan walks through his hacking horror story in painful detail at Wired.com. He describes how his attacker tricked Amazon into revealing the last four digits of his credit card–a key bit of info the hacker needed to gain entry to Honan’s Apple account. Because his Apple e-mail address was on file with Google as a backup, the hacker used it to reset Honan’s Gmail password, which finally let the hacker reset Honan’s Twitter account and achieve the end-goal of taking it over.

In many ways, the hack was preventable. Amazon could have better safeguarded Honan’s credit card details, and Apple could have required more than just a billing address, e-mail address and partial credit card information before resetting Honan’s iCloud account password. Honan could have backed up his files to an external hard drive, or used two-step Gmail authentication to keep the hacker out.

(MORE: 10 Ways to Protect Yourself Online)

But there’s a bigger problem that Honan’s hack brings to light, and that’s how broken the username/password system has become. Every online service we use invites another security threat–a way for hackers to sniff out passwords or glean the information they need to reset an account elsewhere. As Honan himself notes:

My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.

Even if you lock down your Google account with two-step authentication, and Apple and Amazon fix their weak points, there’s no guarantee another service won’t fail, especially when all of them are set up to accommodate forgotten passwords with forgiving recovery mechanisms. What we really need is a new way of verifying our identities online that doesn’t involve memorizing dozens of alphanumeric combinations, and doesn’t add layers of complexity for users.

Slowly, the tech world is coming around to this idea. Tim Bray, who previously worked as Google’s Android developer advocate, recently switched positions within the company to tackle online identity. “Usernames and passwords generally suck and obviously don’t scale to the Internet, so we need to do away with ’em soonest,” Bray wrote in a blog post. In response, Daring Fireball’s John Gruber called online identity “one of the big problems to be solved for the industry over the next decade.”

Work is already underway. The OpenID Foundation is coming out with an open source project called Account Chooser, which lets you use a trusted service such as Google to log into other sites. Although Facebook, Twitter and even OpenID already offer this type of universal login, Account Chooser, which was mainly developed by Google, aims to make it more inviting. Instead of seeing the typical login and password fields when you’re signing in at a new site, with Account Chooser you’ll see a slick-looking box that lists your trusted accounts, and all you do is click on the account name to sign in.

“It takes the username and password and retires it once and for all,” Don Thibeau, OpenID’s executive director, said in an interview. He hopes to see Account Chooser implemented by the end of the year. Of course, it’s unclear how many websites will adopt it, and how quickly.

But even that’s not a complete solution, since it relies on a master login for Google or whatever other service is providing the credentials. OpenID hopes people will secure their master accounts with two-step authentication, but we should assume most people won’t. (After all, we live in a society where “password” is the most common password.)

That’s why we need better, more effortless ways to lock down our accounts. How this should happen, exactly, is where things get tricky.

OneID, a service that’s in private beta now, also wants to have a single login button that’s ubiquitous across the web, but instead of relying on other trusted accounts like OpenID, it requires users to authenticate their individual devices. That way, no one can access your accounts without physically stealing your computer.

As an added security measure for banking and other important transactions, OneID can require users to enter a PIN on their smartphones through a companion app. As with OpenID, the challenge lies in getting web developers on board, but that may prove even tougher for OneID since it’s just a startup and not a well-known non-profit like OpenID.

Meanwhile, the World Wide Web Consortium has also been brainstorming  industry-standard ways to verify users’ identities without endless usernames and passwords. One idea would be to authenticate the browser or device–maybe with a password, or maybe with something fancier, like voice or video recognition–which would then verify your identity with all other web services. That sounds simple enough, but there are lots of details to work out, including what cryptography to use and how to deal with privacy concerns. Web standards tend to take time, but the end result could be widespread adoption of simpler, safer logins.

Jim Fenton, OneID’s chief scientist, believes that individual efforts (such as those of his company) will lead the way, but doesn’t think the username and password are going away anytime soon. “It’s a technology that’s been around for 50 years, and it’s had a chance to establish itself very well on the web,” he said. “I think it will still be quite a while yet.”

Even with a major overhaul in how we identify ourselves online, hackers may still find workarounds. But in time, we may be able to enjoy a system that’s more convenient for everyone–and less prone to horror stories for the unfortunate few.

MORE: How to Create Strong Online Passwords

35 comments
Jerry1
Jerry1

While you can change your password at anytime with Google, it would be helpful if they would allow you to come up with your own user name and not the email address used on the account.  Very helpful.

arrr1
arrr1

The actual problem is that sites are interlinked, so that when one account is hacked, several more become accessible. An increasing number of websites require that I log in with my Google account, and I have no way of knowing if they can see my Google password or not, so I simply create new throwaway-accounts on Google in order to be able to use those sites. I say that Google or someone trying to gain total information on their users' Internet behavior is the single biggest security threat right now – not that there is something fundamentally wrong with the user-and-password system.

That Account Chooser project is profoundly illogical. In the beginning of the article you say that the hackers got some information from one site, that enabled them to hack into another, then into another... And the solution offered is one site from which you can log into ALL the accounts you have anywhere? That would be the exact opposite of the desired result. At present, the hacker has to hack many passwords, unless the user is very careless. However, when the users user Account Chooser, the hacker has to find out just one password and he is guaranteed to have access to all accounts.

Anyway, I just don't understand how can a hacker wipe out all the files on you computer, all your emails and all your online backups? What kind of a moron would make all his important information so easily accessible from one account – and a technical writer at that? Isn't it an elementary precaution to keep your backups very well separated from the information that is being backed up?

JeramieH3
JeramieH3

The guy admitted to the bad practice of using the same login password on multiple sites. So the first suggestion in this article is for OpenID, which uses the same login account for every site. Nice analysis there, Time.

OceansideChiropractor
OceansideChiropractor

This is a really serious concern that we should have great defenses on. Hackers are hackers, they try their best to hack into any website, account or IP and do the unimaginable. If you have a universal account, what if hackers got into it again? That means all info stored are stolen or wiped again at one time. So if the two-step authentication will be an app, it wouldn't need help from cell providers, right?

P V Ariel
P V Ariel

Very interesting and valuable information.

Thanks for sharing the connected links too

Best Regards

Philip Ariel

LRAgurkis
LRAgurkis

Gruber’s comment on online, or digital, identity being a big problem to solve, is true.  The Open ID activity and the idea of “Account Chooser” is just one example of efforts around creating a digital identity “clearing house” for online transactions and operations. Some of the challenges around getting to that point are simple economics that need to be worked out with identity providers and the sites that consume the identities - not to mention the identity proofers that may come into play. The economics around this may be more challenging than the technical issues.

OceansideChiropractor
OceansideChiropractor

This is a really serious concern that we should have great defenses on. Hackers are hackers, they try their best to hack into any website, account or IP and do the unimaginable. If you have a universal account, what if hackers got into it again? That means all info stored are stolen or wiped again at one time. So if the two-step authentication will be an app, it wouldn't need help from cell providers, right?

Godzilla1960
Godzilla1960

Maybe I read too much science fiction, but I was kind of hoping this article was going to say we are on the verge of using thumb print, voice recognition, or eye scan technology to replace passwords.

TradingExecutiveChiefArchitect
TradingExecutiveChiefArchitect

We have a solution for this problem.  We developed a 2-D barcode for password, portable on your cell phone or PDA.  With our solution, you don't need to remember any password.

Contact us @  TopHedgeFundRecruiters@gmail.com

@gmail:disqus 

Reythia
Reythia

"Apple could have required more than just a billing address, e-mail

address and partial credit card information before resetting Honan’s

iCloud account password..."

What else should Apple have asked for, his first born child?

Remember, these accounts also need to be accessible by the people who own them, even when they move to a different computer or location.  There comes a point where asking for more and more information makes it difficult for a REAL user to use the site -- and may not stop a determined identity theft hacker, anyhow.  After all, if some random dude can already get your home address, email, and credit card information, isn't he likely to be able to sort out your phone number, mother's maiden name, or whatever as well?

sql_yoda
sql_yoda

Not a single mention of the user's accountability here. I have a separate secure password for every single thing that's important, like bank account info and apple store, and a completely seperate secure password for every single thing that isn't - like gmail - and I don't let access from one compromise the other. 

How hard is it to memorize 8 alphanumeric characters and then pick a different identifier somewhere inside it to differentiate between sites? You don't have to memorize twenty different passwords - just one with a modifier only you know.

How hard is it to pick a security question that isn't your mother's maiden name?

I don't feel sorry for Honan - he brought it on himself. He even says at the start of the second paragraph that "in many ways, this was all my fault". The username/password authentication is not the problem - it's that nobody thinks anyone else would ever spend four hours screwing with their account info to try to gain access.

Reythia
Reythia

"How hard is it to memorize 8 alphanumeric characters and then pick a

different identifier somewhere inside it to differentiate between sites?"

Actually, I'm one of those people who has a terrible time just remembering my own phone number, so I find it very difficult indeed to memorize 12 different passwords.  Making them related would, in some ways, make it worse, since I'd be likely to mix them up.  Moreover, keep in mind that a lot of sites try to make their passwords more "secure" by requiring you to have specific different components to your password.  So if one site needs you to have 2 numbers but no odd characters, while another requires an odd character, you can't just swap things out so easily.  And if they make you change your password every 3 months (like my idiotic workplace does for "security"), it makes it even worse.  Which is why most of us end up with a list of passwords written down somewhere -- not exactly the best security if you store it on your computer, and alternatively it's too easy to lose a physical sheet of paper.

Frankly, I think there's very little you CAN do if someone is really willing to "spend four hours (or eight or 24) screwing with their account info to try to gain access" to your data.  You can make it take longer, sure, but because the passwords have to be memorizable and are usually fairly short, they CAN be cracked if someone really wants to do it and has learned even the least bit about you.  What saves us, frankly, is probability: there are only a few competent identity-theft hackers compared to the huge number of people using computerized passwords.  The probability that YOU are the one who gets robbed is vanishingly small... which isn't the same as nonexistent.

Jared Newman
Jared Newman

But that's exactly why we need a better system in the first place, no?

Lane1
Lane1

All that's needed is a key chain or app authenticator that's linked to all of your accounts. If an account detects an IP address change from someone trying to log in, it requires an authenticator code. Simple.

I can't fathom why every single website in existence doesn't already offer this feature.

Fatesrider
Fatesrider

I can think of one major reason: Cost.

Another: People are stupid and misplace them.

IMHO, the best way of doing this is through machine authorization.  Authorize the device at account set-up.  Require two e-mail addresses at sign-up.  To authorize another device, it requires acknowledgement from BOTH e-mail addresses.  Every device has a unique MAC address that can be gleaned from the system information independent of router MAC number or IP.  Yes, you'd probably have to authorize devices through your home computer, but as long as two devices have access to the e-mail addresses (and who doesn't with webmail?), they can authorize all devices that want to access that account.  It's a one-step process that negates the need for a user name and password (Although I don't know the state of the art in spoofing MAC numbers, that would be harder one would think than spoofing an IP because the MAC number comes from the system query and not from an IP ping).

But, if someone is really paranoid, one could have a user name and password just in case the MAC can be spoofed, too.  And it would still take confirmation from two separate e-mail accounts registered at sign-up to make changes or reset a password.

This would seriously simplify the Internet and make it more secure while staying out of the way of the user and not requiring "apps" (God, I hate that word) that can be easily cracked.

Oh, and if some enterprising person runs with this, it's my idea (assuming I'm the first person to put it out there). I will want royalties.

TradingExecutiveChiefArchitect
TradingExecutiveChiefArchitect

If IP address is changed, that means: a user or a hacker may log on from another machine.  It may also mean that the IP address is dynamically assigned.  The security system should be able to handle 3 situations differently without adding unnecessary burden to the user.

Contact us @  TopHedgeFundRecruiters@gmail.com for your long term, better solutions.

Lane1
Lane1

 How is spending a few seconds entering a code burdensome? It could simply be required at every log in and still be worth it in my opinion.

TradingExecutiveChiefArchitect
TradingExecutiveChiefArchitect

Hi Lane1,

You've a good point.  It's necessary for the current security system of user login: challenge and response, i.e. user ID/password in GUI, verification on server or database.  However, we created a brand new product for the next generation of Web sites and e-Commerce checkout.  We are looking for investment to grow our sales and clients for this wonderful IT Security ID product.

Lindsay J. Workman
Lindsay J. Workman

Your ubiquitus cameras can still most be fooled with a photograph though. Widespread adoption of some sort of bio-metric system is the answer...FreeLancerGetWork.blogspot.com

TradingExecutiveChiefArchitect
TradingExecutiveChiefArchitect

Lindsay,

A great point!  There is a solution for this  ubiquitus cameras and photograph problem since the 2-D barcode security can be dynamically changed at real time.  A hacker almost will never get a copy of it since it is in a digital format and dynamically changed when you need it.  Even a hacker had got, it would have been out of date.

Kelly Murphy
Kelly Murphy

Every "solution" mentioned in this article still relies on a master password.  It's like being challenged with keys, so you make one key fit your car, house, office, cabin, etc.  Not the answer.  In fact,it makes the issue far worse when a master password is compromised.

Bio-metric devices are relatively inexpensive.  Simply integrating fingerprint readers into monitors, phones, tablets, keyboards, etc would solve all issues.  Want to log in, swipe your finger. Want to make a purchase, swipe your finger. Quick, easy, and never to be left at home or forgotten.  We all have natural unique identifiers, our fingers, why don't we use them?

Credit card machines at retail outlets could use them as well. Swipe your finger, pick a card, and authenticate the purchase.  

We can insist on "Energy Star", but why can't we encourage manufacturers to adopt a "Security Star" standard that incorporated fingerprint readers into all computing devices.  Also very easy to retrofit any computer built in the last ten years. 

Jared Newman
Jared Newman

I don't think passwords and PINs are inherently terrible, but they need to be paired with something a hacker can't access, such video, voice or device-based authentication.

As for fingerprint readers, you can't possibly expect every PC, phone and tablet to include one. Even if it's inexpensive, it's still a design consideration. And there's a chicken and egg problem: Without standards to accept thumbprints as a login to any website that might need it, a reader is limited in usefulness. Without mass adoption of thumbprint readers, no one's going to develop that kind of standard.

I think it's more realistic to expect voice or video recognition to be improved so they're reliable enough for authentication, since those technologies are being built into hardware already.

Kelly Murphy
Kelly Murphy

In your article you presented "master passwords" as an alternative to the current (and failing) password system.  Not really thinking outside the box.  

Lets hear more about the World Wide Web consortium and their plans to replace passwords with, wait for it, a password. 

Maybe Google can eliminate passwords with, wait for it, log-ins.

Come on.If a simple thumbprint reader is really out of the question (which I still question) lets see an article about voice and/or video authentication. In the next 5 years identify theft is expected to cost $20 + billion dollars.  I understand that bio-metric solutions won't evolve themselves, but it's worth the investment to solve this problem today.A few years back the US Customs service spent tens of millions to devise a tamper proof e-passport.  It took a few days to crack.  Yet nobody to my knowledge has devised a way to quickly and accurately spoof a fingerprint.  (except for TV drama and James Bond). Your ubiquitus cameras can still most be fooled with a photograph though. Widespread adoption of some sort of bio-metric system is the answer.  Let an OS maker develop a standard, let browsers and vendors become compatible, and let hardware manufacturers comply if they wish.  Savvy consumers will pick it up if it's A. easier B. effective, C. inexpensive.  

GadgetDon
GadgetDon

I've got a friend who simply doesn't register on fingerprint readers. Even the old ink and rub type fingerprint reader rarely works - she almost failed a background check to work at a school because they couldn't read her fingerprints to confirm she wasn't a felon of some sort.

Sandeepmdas
Sandeepmdas

I am writing this from Kerala, INDIA and the girl who lives next to my house also have this same problem. The fingerprint scanner cannot register her despite numerous attempts. Her Unique ID screening was failed twice and she's going to appear for the third one next weekend. 

Kelly Murphy
Kelly Murphy

I am sure there are people for whom fingerprint readers do not work.  Either the market will respond to these people, if there is sufficient need, or these people will find alternatives.  To every solution there will be exceptions. 

I bet you know far more people who are stymied by password complexity, or use very simple authentication.  Lets get the majority covered and then work on the loose ends.

facebook-1322783619
facebook-1322783619

This is not 'hacking'. It's a simple case of identity theft. The perpetrators achieved most of their goals using a phone and speaking with human beings not computers. Much worse things can happen from identity theft other than losing some baby pictures. For example, if someone gets a hold of your social security account, or even the last 4 digits, you could cause some real damage (set up credit card accounts, file false tax returns, buy a car, etc...).

Jared Newman
Jared Newman

It's a semantic argument, but social engineering can be considered a form of hacking.

JeffDB
JeffDB

One thing I don't like about using your Google or Facebook account to log in is that your posts always give your full name at whatever website you're logging in to.

I very much prefer the option of selecting a username of my own choosing for each site. Privacy concerns abound.

candide08
candide08

Google TWO FACTOR works fine, and is secure. 

The Wired reporter had engaged in not just one, not just several but a whole slew of BAD practices.

If he had just had Google two-factor none of that would have happened.

Nathaniel M. Campbell
Nathaniel M. Campbell

It only works, however, if you have a cell phone that can receive text messages.  Shocking as this might be to the technorati, a lot of people don't have cell phones or don't use text messaging.  Our family has one cell phone (for emergencies) and SMS disabled so that we aren't charged ten cents a pop every time someone wants to send us a text message.

stromos
stromos

 Except you're wrong.  Google allows landlines and an automated machine will call and give you a verbal code.

Damasucs
Damasucs

Nathaniel,

If you don't have access to a cell phone Google also offers printable backup codes, although I wouldn't use them as the sole way to access your account.