Robert Siciliano makes a case for adopting these 5 steps to be practically unhackable.

  1. Think before you click
  2. Use https where it matters.
  3.  Manage passwords.
  4. Use 2-factor authentication, all day everyday.
  5. Know when to VPN.
http://www.blogher.com/5-habits-practically-unhackable-people

http://www.blogher.com/5-habits-practically-unhackable-people

 

All good advice, but lets look at the issue of on-line security as a system. Unfortunately the system to protect personal credentials is problematic. The solutions Robert proposed are good. What is not discussed is why does the solution shift the responsibility of providing security from the site or host to the user.

The truth is that the average users are not skilled in cyber security. And by the rash of cyber breaches neither are the hosts. Can you do something? As Robber points out, yes. Should you do something? Again, yes. But that doesn’t fix the broken system.

The ‘solution’ offered by Intel, and 2FA is just a band-aid for a broken system. The whole concept of a password to secure identity is premised on two matching tokens. One the user knows and one is stored on the server. When they match the assumption is: you are who you say.

Replacing one password (alphanumeric) regardless of complexity, with another (biometric) still has two vulnerabilities.

Fallacy #1. Compromising the user. The user is responsible for managing their own security. But the people who are trying to crack or compromise the user are far more sophisticated in computer systems than the average person. So yes, #1, #2 and #5 are excellent advice. But it is the system that needs to be replaced.

Fallacy #2. Compromising the server. When Sony, Home depot, PayPal, Morgan Chase Stanley and others get hacked cyber criminals have your password and there is little or nothing you can do. You don’t know if they have your credentials or not or what credentials they have.

Password systems endure but are all based on two wrong beliefs.

Belief 1 is that your identity can be protected by having complex passwords. The system belief is based on you having a long string of alphanumeric. Equally the server has that same long string of alphanumeric.  Both are vulnerable so if one is compromised so is the other. It doesn’t matter if the password is retinal, finger, voice, a string (password) or a pin.

If enough people believe the earth is flat will bit become flat?

If enough people believe the earth is flat will bit become flat?

The vulnerabilities remain. Thus the belief that a complex password is adequate security is clearly false. Passwords and password systems, regardless of the password, are built on a flawed system based on a flawed thinking because passwords can be compromised. It doesn’t matter how long your password is, if a cybercriminal has it – then it is compromised.

Belief 2 is based on the theory that if everyone agrees then it must be so. The world is not flat. Never was. There was a time everyone believed it was flat, and people went around afraid they would fall off if they got to the edge.

Today people believe the password is irreplaceable. It is as fixed as gravity. The bigger the password the more gravity.  If you remove the password you will fall into the black hole of security.

black holeThat seems to make sense, but consider if you have a 500 character password and it is encrypted and can’t be stolen from your device. Having all that is moot when the server is compromised.

Here is the important other side to this dialog. We can get rid of the password. It isn’t expensive, doesn’t require new hardware and it is easy. It just requires looking at the problem from a different perspective.

The real question, the unifying theory of cyber security, is why don’t we just eliminate the password all together?

Coming soon… BPID password-free authentication.

Paul Swengler is the CEO and principal of Bulletproof ID a password-free authentication system. He can be reached through www.bpidsecurity.com and can be found on twitter, @bpids