The challenge of Digital Identification in a Cloud world, Password Managers Emerge

At time when the news headlines are filled with a parade of data breaches (DNC, Yahoo, etc.), the Password Manager has emerged as an effective tool to solve the problem of Digital Identification.  Digital Identification is the way you prove who you are to all your Cloud based online accounts.

The Password Manager is a online system combined with software tools that allows users to create long, complicated password strings that are unique to each online system. This prevents passwords from being guessed and prevents compromised passwords from being used to access other sites if one system has been hacked.

The challenge for online service providers is to secure their systems and accounts but allow users easy and convenient access.  Without a Password Manager, long, complicated and unique passwords are not something that people can easily use.

Without a Password Manager, username and passwords are ineffective because:

  1. People choose passwords they can remember, which are simple for criminals to figure out.
    • Brute Force techniques allow criminals to guess thousands and millions of common combinations (Ex. Password1, Sex123, etc.) from dictionaries and lists of already discovered passwords from previous data breaches.
    • Old fashioned PI work is surprisingly successful using social media and public records to formulate possibilities including children’s initials, birth dates, mailing addresses, pets names, hobbies, etc.
    • Phishing techniques like was used in the DNC hack trick users into sharing their passwords through fake websites and email solicitations.
  2. Long, random, secure passwords are difficult for humans to remember and as a result are not used or are stored insecurely.
    • Often, passwords are kept on sticky notes under keyboards, in note pads and in insecure online address books in Google or Outlook.
    • Users find creative ways to compromise complex password requirements by making minor modifications, writing  them down but leaving out some characters, etc.
  3. The same passwords are often shared across different systems.
    • Long complex password that change frequently are hard to remember, so users use the same or similar passwords across many systems
    • Hackers know passwords are shared across multiple systems so they try and access other online systems once a password is discovered and verified.

The Password Manager evolves

The original password managers were not useful because they were inconvenient.  They presented too much of a challenge to setup, organize and access.  Also, securing all your passwords and private information with a single password seemed like having all your eggs in one basket.  If that system and password was compromised, so was everything else!

Modern password managers have solved most of these challenges.  They are now the hub of your digital identity.  Products like 1Password, LastPass and Dashlane provide simple solutions to protect your passwords and provide convenient access from all your devices and online.

You are in control

  • With the help of these tools, long, random, unique and complex password are created for your online accounts.  The Password Manager software makes logging in and accessing your online accounts simple without having to remember these passwords.
  • There is no need for 3rd party solutions like certificate authorities to issue and manage your credentials.  No one else can grant access to your online accounts and you don’t have to use permanent physical characteristics like your fingerprints, DNA, etc. to identify yourself.
  • No one but you can see your passwords and account info. None of these online solutions store your passwords in a form that is accessible to anyone other than yourself. They do this by employing high levels of encryption within their systems and they encrypt your passwords with your own master password, which they don’t have.

Isn’t this risky, putting all your eggs still in one basket?

Many people still get stuck on the single master password and the concern with having all your eggs in one basket.  It’s a legitimate concern but these systems have checks in place to limit this risk.

  • Before you can attempt to un-encrypt your database with the master password, you must first authorize your devices and demonstrate control of the email account associated with your account.
  • Attempts to access your account are logged and reported to you so you’ll know quickly if someone else is trying to access your account.
  • 2FA/Multifactor Authentication can additionally be added onto your account.
  • The Master Password is never stored in their system, so if they become compromised hackers still should not have access to your information.

Emergency access

One feature that I find particularly compelling is “Emergency Access.”  When someone becomes ill or passes away unexpectedly, there is a panic among family, friends and sometimes within businesses to try ensure access to online accounts and protected files.

My wife and I have many online accounts related to finances, insurance, mortgages, photo sharing, etc.  One day I realized I had no idea what passwords my wife was using for many of these accounts as they change often and have so many different requirements.  With the Emergency Access feature, I can setup emergency access to her passwords after a 2 day waiting period.

Why shouldn’t we just use alternatives to passwords?

Biometric or genetic authentication: Science fiction has often extolled the benefits of genetic or biometric authentication including retinal scanners, fingerprint readers, voice recognition or DNA scanning.  The problem with these technologies are twofold:

  1. They can be fooled:  If a would be hacker learns a target’s fingerprint, retinal pattern or DNA unique identifiers, systems can be devised to represent these unique patterns in a way that can fool an automated system.  There are currently many examples online of fingerprint readers being fooled.
  2. Once a biometric or genetic marker has been compromised, users cannot “reset” them, they are hard coded into our bodies.  So if one’s identity was stolen and it was tied to a unique DNA identifier, the individual is now unable to easily reclaim his identity.

Digital Certificates: For a time there was a lot of discussion about how Digital Certificates from certificate authorities could replace passwords.  These certificate systems are currently widely used for securing websites, securing corporate and the government systems, and to sign software code.  They use a private and public key model to encrypt and identify authorized users and systems.

However, Digital Certificate systems have failed to become broadly used because of two major challenges:

  1. There is no one to trust with all this power!
    • Over the past few years there have been several high profile compromises of certificate authorities including Comodo, Symantec, and others.
    • Certificate authorities hold the master keys, allowing a single point of failure.  This allows malicious actors who successfully compromise one of these systems to access unauthorized systems or issue illegitimate certificates.  This allows the publishing of fake bank, google, or other systems where users are tricked into providing information through fake systems.
  2. Public and private key certificate systems have proved to be too complicated and inconvenient for most average users.
    • Users have to be able to understand the private and public key model, which is often beyond the interest and abilities of most users.
    • Personal certificates are not very convenient.
      • I can load my Private Key on my computer so that when I go to my banking site I can easily log in, but what do I do when i’m at my parents house?
      • I can load my Private Key on a USB Smart Card but that opens up many other challenges and security risks including plugging in USB drives to other people’s computers.

2FA or Multi Factor Authentication: 2FA (Two form Factor Authentication) or Multi Factor Authentication is the technique of using 2 or more methods to uniquely identify a user.  This usually includes some form of password combined with a text message, phone call or possession of physical hardware Token (USB device, Phone App or computer app that generates random numbers, etc.).

  1. 2FA or Multi Factor Authentication doesn’t get rid of passwords but makes them much harder to compromise.
    • Even if a hacker knows a user’s password, they cannot gain access to a system without the second or third authenticator.
  2. 2FA and Multi Factor Authentication methods are becoming broadly and freely available with many online systems including Apple, Facebook, Google, Yahoo, Microsoft, etc.
    •  The problem with these solutions are that they make access a lot less convenient. This is especially true if you’ve misplaced your smartphone or are not working on your own computer or if you’re sharing access to a system (usually can’t list multiple cell phone numbers).
    • Additionally they don’t eliminate the password, they just make it more secure.

A good option now for greater security

The convenience of the Cloud’s always on, always available nature means that these systems are always available to enterprising criminals all over the world.  Long gone are the days when systems are safely behind physical walls and firewalls requiring special software and/or physical access.  There is a significant need now for greater security across all these systems and the Password Manager is one of our best options.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s