Saturday, September 22, 2012

No More Passwords

Too many websites have been breached in the past 24 months: 21 Sony sites, Gawker, and most recently LinkedIn. A minimum of 20 million passwords were leaked causing chaos on the Internet, from increase in spam originating from legitimate email accounts, to stolen credit cards used for money laundry from stolen emails attached to Amazon, PayPal, eBay and other online payment systems and stores.

This is an article showing what password crackers have done with all those leaked passwords; in summary: Minimal work is now needed to crack 90% of passwords in less than 24 hours!!!

Users are stupid. Fact well established thanks to all those leaks, where users have used the same password for their accounts as the email password. But, for the website developers to also be a failure in understanding proper password hashing & encryption? This is the ultimate failure that users cannot see coming until it's too late.

So why are we relying on passwords still? I own accounts at least 15 different websites and I do not like the idea of Single Sign On where one password allows me to login to all of them. That's simply insecure & risky.

The answer is very simple: We don't need passwords in general. Websites should instead offer authorization/access codes in combination to email addresses to access content. Those codes are auto generated by the website, random, long (128+ characters), and most importantly, the user does not have to input any data nor remember anything. It's important to not tie the code to any user data (salting).

The only thing that needs a password is: Email and online payment systems. Everything else should send its auth code by email. When a user wants to login, they go to their email, open the email that has the code and copy/paste it to login.

In case a website is cracked, then users aren't at risk & the website maintainers can simply regenerate all auth codes and email them to the users.

As for now, I adopted the "make a silly temp password" method. I keep forgetting passwords on purpose and every time, I reset the password and enter a new temporary and random password, until website maintainers cut the crap and ditch this password scheme.

4 comments:

qallaf89 said...

What a great informative article (didn't know about salting before)!

But i think i'm going to use the current password scheme since i am fairly a noob and think that it's impractical to go to my email every time i want to sign in.

MBH said...

qallaf89,

Thank you for the visit. The post is quite brief & there are many great articles on the web about salting if you're interested.

Anonymous said...

what do you think that happens to the e-mail address you use to access all sites....

It will be spammed to hell :)

MBH said...

Anonymous,
It's not going to spam it.

I already implemented it for a project of mine. It sends the link if you deleted the old email, or want to generate a new access link.

In normal cases, you'd open the link from the email or have it bookmarked.