In light of eBay security breach, why do passwords persist?
The past 12 months have not been kind to聽the Internet's default security mechanism:聽the password.
First it was the Adobe hack last October that affected more than 150 million customers. Then the Target breach compromised the information of more than 70 million consumers. The news of data breaches just kept coming: Sears, Neiman Marcus, Michaels, and the ominous Heartbleed flaw that left passwords vulnerable to hackers for more than two years. , which says more than 145 million customers must change passwords to prevent further vulnerability.
Why is this form of protection, which has proved itself susceptible to increasingly savvy hackers out for this exact information, still the way that we keep our online lives safe? The long and short of it: users don鈥檛 practice safe Internet techniques, and privacy breaches don鈥檛 necessarily affect profits.
The password came about with the inception of computers. Researchers at the Massachusetts Institute of Technology (MIT) first invented it in the early 1960s, and even back then, passwords proved to be an easily circumvented security method. , a bug revealed the list of everyone鈥檚 password to whoever logged onto the machine. In another instance, a researcher who wanted more time on a computer printed a list of all the passwords and continually logged in as different users. Another researcher got a hold of the passwords and left 鈥渢aunting messages鈥 behind for a lab director.
Most researchers from the time admit that a knowledge-based authentication system would have been much smarter 鈥 something along the lines of asking a father鈥檚 middle name or the birthday of a sibling. But Fred Schneider, a computer science professor at Cornell University, told 聽that 鈥渨ould have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.鈥
The rest is computer infrastructure history.
"It's the only piece of technology from 50 years ago we're still using today," says Brett McDowell, a senior Internet security adviser at eBay's PayPal unit
It appears Internet users鈥 attitudes toward passwords are also largely out of date. After media outlets, computer security researchers, and even the federal government urged Internet users to change their passwords following Heartbleed, which may have left more than two-thirds of the Internet susceptible to undetectable password breaches, said they had cancelled accounts or changed their passwords. Despite all the hacking news of the last few years, found that the two most common passwords on the Internet remain 鈥123456鈥 and 鈥減assword,鈥 despite many cyber security experts pointing out that these passwords are weak, easily guessable, and very common.聽
All right, fine. Internet users can鈥檛 be trusted to protect their own data, but at least we can rely on the private sector to heed the ever-growing threat of cyberattacks, right? After all, having millions of customers鈥 data compromised must be really bad for business.
Well, not necessarily.
Take the eBay hack. How do you think that is affecting business? Terribly, right?
聽鈥淲hile security experts, the news media, and actual eBay users may have all been alarmed, the stock investors weren鈥檛,鈥 writes in a recent column. 鈥淓Bay鈥檚 stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88. That鈥檚 been the trend among companies that have suffered cyber attacks鈥攖he stock market practically ignores them. Consider Target and its own well-publicized data breach that happened back in December. Target鈥檚 stock didn鈥檛 really move at all.鈥
Mr. Chemi found this phenomenon isn鈥檛 confined to popular companies that were hacked such as eBay and Target. The same thing happened to T.J. Maxx, Adobe, and JP Morgan after announcing that customer data had been compromised.
鈥淭hese numbers suggest that investors just don鈥檛 care much about data breaches, while hackers are incentivized to keep trying to steal data,鈥 Chemi adds. 鈥淢aybe that鈥檚 why these events will keep happening. History repeats itself.鈥
That being said, a data breach can be costly and attacks are clearly growing. PricewaterhouseCoopers鈥檚 2014 Global Economic Crime Survey found that over the last three years, 7 percent of US organizations lost more than $1 million each to cybercrimes, and 19 percent lost between $50,000 and $1 million.
With that in mind, a slew of companies have come together to form the FIDO Alliance, which is working to develop the next generation of successful authentication procedures and products. Members include Bank of America, BlackBerry, Google, Microsoft, Samsung, Netflix, and others.
Companies have tested authentication measures such as the fingerprint sensor on iPhones and new Galaxy devices. PayPal recently started accepting fingerprint swiping payment authentication as an option. There is also experimentation with local device authentication (where users insert a USB dongle as authentication) and iris scanners.
In terms of the eBay hack, aside from changing your password, the only thing to do to protect your data is keep an eye on bank accounts and beware of phone and e-mail scams. For protection against future password issues, Password Genie, LastPass, and Dashlane are all secure password storage websites where you can keep tricky-to-remember passwords for various sites.聽
And if you're still using "password" as your password? Seriously -- change it.
