The password pressure of modern life means that 61% of us use the same password wherever we can, according to a survey commissioned by digital communications agency @www. In fact, with more than one in 10 people having 50 or more separate online accounts to log into, many are not only using the same password for everything, but also writing all their passwords down in one handy place, such as the noticeboard in their office, a document on their desktop, or a Post-it note stuck to their computer. ^
The paradox of computer security is that we must consider the human element, which is that although security is a big concern, it’s something people expect to just work. We don’t expect our cars to blow up because we put a lot of effort into engineering them. Similarly, we expect security to “just work” with little investment by us.
However, it does require careful designing to make this happen. One part of careful design is accepting reality as it is. In the case of security, this is that users are forced to know at least a dozen passwords to do the minimum required for having an online presence. It’s no surprise that, after wasting a few hours finding lost passwords with the kind of barely functional features available on most websites, they start using the same password everywhere. I bet the number’s higher than 61%.
As we approach Web3.0 being christened, one idea that’s essential is some digital equivalent of Real ID. I think it should be based on an online identity, not a real-world one, so people can stay hidden if they prefer. It should be relatively centralized, and have an identity that other sites can then associate with internal records. But let’s stop ignoring the elephant, which is that when you require users to have dozens of passwords, they’ll use the same one in multiple places, and eventually this will lead to compromised systems.
“A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform,” said Brendan O’Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006. ^
In Hollywood schlockbusters like Live Free or Die Hard, Hackers and Mission Impossible, hackers decide to bust into a major site, so they go attack the mainframe by smashing through routers, firewalls and impossible looking security screens with holographic cryptograms. In real life, hackers work like reporters researching a story. They nibble around the edges, then ask the right questions, then finally stage the big confrontation.
First, you gain entry to a site. Often this is by calling someone up and claiming you’re security and you need their password, or by snooping wi-fi networks for someone who might be using the same password on Yahoo! mail as on his corporate network. Then you get into the network, often through a printer or some simplistic trojan you mail to a secretary. Finally, you start by compromising machine around your actual target, so you can hide your traces and fake validation credentials. For the really big hack, the target should never know it was hacked if you’re good, because to it what happened was a normal transaction. Its infrastructure — the hacked network — can be all you need.
So much for the big screen. These common security annoyances are a bigger threat than the media fearmongering. Hacking is a task like any other, and it rewards research and diligence more than the ability to type cryptic commands quickly.