Passwords are used everywhere to access online services, and even though security researchers know that this type of authentication is almost as bad as it gets, it’s the default way we all access our online accounts, and attempts to change that fact with other measures (two-factor authentication, biometrics, etc.) are always met with a lot of resistance. Apathy is often the source of this resistance, but there’s also the fact that every company wants to use their own solution. Facebook and Twitter have their OAuth based authentication APIs, PayPal uses the Verisign system, Google has its Google Authentication, Blizzard provides its own dongle, and so on. Users would end up carrying a keychain filled with dongles and tokens if they were to take advantage of all these initiatives.
The chink in two-factor authentication
Then there’s also the fact that the Internet is filled with legacy code, and implementing a new authentication system will always hit a brick wall when it comes to older code that simply does not support these newer options. This is why Google offers application-specific passwords in order to allow these apps to still work even when you turn on two-factor authentication. Just this week, a researcher revealed that this password option was actually much more vulnerable than could be imagined. Simply by using a bit of hacking knowledge, one could extract enough information to reuse these passwords over and over again. So while the company was claiming that this generated password would only be usable from a single app, this was not exactly the case.
This particular vulnerability has been fixed by Google, but it remained open for almost a year before code was pushed to close the hole. And even with this fix in place, it does not change the fact that it’s still using a password, which leads us to a tale of a compromised iCloud account. One particular techie I know, someone who knew the risks of passwords and the ways he could protect his digital life, ensured that his Gmail account was indeed using two-factor authentication. Unfortunately, he also had an iPad and wanted to access his Gmail messages on the iOS mail app. This app, like almost all email clients out there, does not support two-factor authentication. So he had to generate an application-specific password in order to do so. After entering the password on his iPad, and making sure it had a lock pin on it, he felt very secure that this one particular event would not compromise his email account.
The iOS gap
Unfortunately, it turns out that his iCloud account was not as secure, and one day he found out that his Apple password had been compromised. Whether it was because of password reuse, brute force attacks, or simple guesses from someone targeting him in particular, we may never know. But the point is that his iCloud account was now in someone else’s hands. Our victim was not too worried however. He never used his iCloud account for much, and had made sure that no harm could be done with that password. So after recovering his account and changing the password, he put the whole incident in the back of his mind. However, he had forgotten one crucial fact. By default, an iPad will keep a running backup of all of your data in iCloud, as long as you are running iOS 6. This includes things like documents, photos, and settings. In those settings are passwords, and the hacker was smart enough to download the backup to another device while he or she had access to the compromised account.
So while his Google account was using two-factor authentication, and his iCloud password did not grant any kind of access to Gmail, because of this backup, the hacker was able to restore his iPad settings, and access contacts and emails from his Google account using that application-specific password. The victim ended up only finding about this after the fact, when the damage had already been done. While it had not seemed like such a big deal to create a password for one mail client, it turned out that this specific password was not so specific after all. And this is really the crux of the problem. A password can never be made secure regardless of how many checks you add. It’s still just a simple string of characters, and if it gets out of our control, a motivated hacker can find a way to get what they want.
So what’s the solution? In the long run, security researchers are right, a user name and password is a terrible way to authenticate. We have to move away from that using things like two-factor authentication. The Google Authenticator is actually an amazing piece of technology. It uses very simple mathematical formulas to ensure that the code your authenticator shows to you will be impossible to obtain any other way than if you have the exact same serial number than the server does. This means as long as you hold on to your smartphone or security dongle, no one listening in or breaking into some other account will be able to bypass this security. And because it uses open protocols, it’s incredibly easy for any developer to implement this type of authentication in their own apps. The problem is that because of legacy code, companies have no choice but to implement workarounds. This may be unavoidable, because while it may be your responsibility if you forget your password, there are many situations where you can lose a phone or authenticator by no fault of your own.
There is no magic bullet when it comes to security. All we can do is add layers that will hopefully make accounts more secure. Of course, some of those layers are sometimes stupidly complex and serve no good security use, but that’s another story. Still, it’s with tales like these that we can remind ourselves no security is perfect, and that it’s always good to go back and make sure we’re doing all we can to ensure our digital life is safe. Because as years go by, more of ourselves end up being bits, and a safe is no longer what holds our most precious goods anymore.