Is It Time for Passwords to Go Away? I think it is in the best interest of everyone if private individuals and corporations create their own certificates.
1. Is It Time for Passwords to Go Away?
It seems all too often my friends are having their accounts hacked. I get emails from them trying to hawk iPads
or Facebook messages about Lady Gaga. There are three problems I see here:
1. Users choose poor passwords. This was shown in the recent Gawker hacks and pretty much every other
username/password database breach in computer history. Common fix: require complex passwords. Problem
with the fix: Password1! Another problem is that users choose the same password for many sites. Once the
password is compromised at one site, the same username and password can be used to gain access to other
sites.
2. Users blindly click links in emails, Facebook posts, etc. Here, I would be interested in an organization that
prohibited links from being transmitted in email. If someone tried to send an email with a link, it would be
rejected and a notice would be sent to the original sender stating that links are not allowed. The emails should
be phrased such as “Go to your normal [Bank Name] login by entering the address you always do in the URL
bar.”
3. Users never check where they end up after clicking links. They usually end up at facebook.evilhacker.com
and think they are at the real Facebook. Hey, the page looks the same. People should check the certificate of
the website, but they don’t.
All of these problems can be fixed with one simple solution: certificates. Certificates have been around since
the 1980s and are common in authenticating servers, but not users. Many SSH users love certificates because
they allow them to log onto their systems without typing passwords. However, certificates are almost never
an option for logging into websites. Let’s look at how certificates would solve the three problems above:
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
2. 1. Certificates, by their nature, are complex. They are essentially unable to be hacked by a brute-force attack.
Also, certificates are unique to the one website they are created for. No more password reuse.
2. and 3. Users could click whatever links they wanted, but the certificate would never reveal itself to any site
except the genuine HTTPS site. Here, the certificate does the check that most users don’t do. If users go to a
fake site, they may try to login, but will be unable to transfer a password to the attacker.
There are problems with certificates such as portability across computers, access from public computers and
even compromise of the certificate itself, but I think having the option to use certificate-based authentication
would greatly lessen the occurrence of these simple attacks. For now, however, the best defense is choosing
an incredible complex password, not clicking links ever, and checking the certificates of the websites visited.
On a side note, the US Government is working on this as well, but I think it is in the best interest of everyone if
private individuals and corporations create their own certificates.
Written by Redspin Engineer, David Bailey
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM