![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Are passwords passe?
Nov. 20th, 2012 11:48 pmInteresting (LONG!) article by Mat Honan. You might remember his name as the reporter whose Twitter, Google, Amazon, and Apple accounts were hacked a couple of months ago and his MacBook Air was remotely erased and both his Air and iPhone were bricked, clobbering all of the photos of his 18 month old daughter which he had not backed up.
Mat's accounts were hacked via social engineering because of multiple security failures, and I'm not going to get in to how, if you're interested just search for his name and 'hacked' and you'll probably find plenty of articles. He wrote at least two stories for Wired about the event, it all started with an underage vandal who was envious of Mat's three letter Twitter handle, @Mat and he destroyed Mat's digital life for the lulz. Mat screwed up in two main ways. First, he used the same passwords for multiple critical services. Second, he had no backups of his Air, he was just begging for a failure wiping everything out. Fortunately, at very high cost, a data recovery company was able to recover the photos and videos of his daughter.
I'm certain he's going to be diligent about his backups in the future.
ANYWAY, this article argues that passwords are worthless for truly protecting you, and he has a number of valid points. A lot of exploits totally bypass password account security through keystroke logging, unencrypted man in the middle attacks, or stealing poorly salted password hash files directly from servers and running them against rainbow tables. Just ask Sony, they were out on the order of $170+ million for their Playstation network hack.
Mat offers a few suggestions. For example, if you're traveling and need to access your bank account, the system sends your picture and has to get three friends to say "Yes, this is Bob" before you can be granted access. I find this concept interesting, but also potentially subvertable.
It boils down to computer security being an eternal game of whack-a-mole against bad guys, and to paraphrase Ronald Regan, the price of computer security is eternal vigilance.
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
Mat's accounts were hacked via social engineering because of multiple security failures, and I'm not going to get in to how, if you're interested just search for his name and 'hacked' and you'll probably find plenty of articles. He wrote at least two stories for Wired about the event, it all started with an underage vandal who was envious of Mat's three letter Twitter handle, @Mat and he destroyed Mat's digital life for the lulz. Mat screwed up in two main ways. First, he used the same passwords for multiple critical services. Second, he had no backups of his Air, he was just begging for a failure wiping everything out. Fortunately, at very high cost, a data recovery company was able to recover the photos and videos of his daughter.
I'm certain he's going to be diligent about his backups in the future.
ANYWAY, this article argues that passwords are worthless for truly protecting you, and he has a number of valid points. A lot of exploits totally bypass password account security through keystroke logging, unencrypted man in the middle attacks, or stealing poorly salted password hash files directly from servers and running them against rainbow tables. Just ask Sony, they were out on the order of $170+ million for their Playstation network hack.
Mat offers a few suggestions. For example, if you're traveling and need to access your bank account, the system sends your picture and has to get three friends to say "Yes, this is Bob" before you can be granted access. I find this concept interesting, but also potentially subvertable.
It boils down to computer security being an eternal game of whack-a-mole against bad guys, and to paraphrase Ronald Regan, the price of computer security is eternal vigilance.
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
