Eric Sachs has a problem with recycling. Not paper or plastics, mind you. Passwords.
“About five years ago, we started to see a significant increase in the hijacking of Google accounts,” says Sachs, the group product manager for identity for Google. “We came to recognize it was a password reuse problem.”
Indeed, one recent study from the University of Cambridge concluded that the password reuse rate was at least as high as 31 percent and could be as high as 49 percent if one counts similar passwords. This means, if a hacker gets access to at least one of your passwords, he could have access to at least half your other accounts.
Sachs and his team immediately set out to improve the security of Google's accounts, and to offer guidance to other companies struggling with authentication security. Nowadays, Google's login process encompasses a “very explicit two-step verification” for users, Sachs says. The internet search engine company has also invested in risk-based management – similar to what is also used by Facebook and many financial institutions – that reviews at every new login for potential bad IP addresses or concerning geolocation coordinates, which might point out bad actors trying to get in. More recently, Google has adopted the mobile phone as a “key enabler” for what Sachs calls “smart identification.”
“Combining traditional risk signals, like IP address, with a second factor, like the mobile phone, reduces the risk,” he says. But, it also comes at a cost. Sachs, who will not share specific numbers, says his identity team increased four-fold during this development period.
OUR EXPERTS: Beyond the password
Brennen Byrne, CEO, Clef
Frank Dickson, network security industry principal, Frost & Sullivan
Phillip Dunkelberger, CEO, Nok Nok Labs
Steve Kirsch, CEO, OneID
Charles McColgan, CTO, TeleSign
Eric Sachs, group product manager for identity, Google
Google's commitment to enhance its authentication procedures points up a growing problem with passwords. By most accounts, the password or PIN (at least as the sole form of verifying identity) is dead. However, the problem, as many experts see it, is that dead as they may be, passwords are still on life support. “Passwords were great when they were invented 50 years ago,” says Michael Barrett, president of the FIDO (Fast IDentity Online) Alliance, to which Google belongs. “Even a decade ago, passwords worked adequately on the internet. If you asked the average internet user how many user IDs and passwords they had back in 2004, they'd respond, ‘Maybe five or six. Why do you ask?' Now, they say, ‘I've got 30...and I can't cope any more.'”
Increasingly, the way consumers and employees cope with password overload is “to use the same password absolutely everywhere,” says Barrett. “That basically means that the security of their most secure account is now the security of the least secure place where they've used that same password.” Criminals know this, he adds, which, combined with data available about passwords, has led to an explosion in the number and scale of data breaches. In turn, Barrett claims, this has led to tens of billions of dollars (perhaps hundreds of billions) in losses for online service providers, financial institutions and other “relying parties” [co-operating sites using the OpenID standard] who are beginning to develop more complex risk-based authentication systems. “These systems staunch the bleeding, somewhat, for those organizations, but don't solve the problem for all of the other companies which provide internet-based services,” he says. “Passwords have had a good run, but they are clearly nearing the end of their lives,” says Barrett.
The Target breach is just the latest of incidents sprung from password weakness, according to Phillip Dunkelberger, CEO of Nok Nok Labs, a company that develops stronger authentication. (Nok Nok Labs also developed the code that has become the basis for the FIDO Alliance's authentication protocol, he adds.) Passwords have remained well-entrenched, however, because “people think they're cheap,” Dunkelberger says. Aside from the untold expense of exposures and breaches, the maintenance of passwords can be more considerable than people realize. Password resets account for as much as 80 percent of the support costs associated with some companies' help desks, Dunkelberger claims. “They are not very secure, they don't help with privacy, and they are, in fact, really costly,” he says. “It used to be data was currency, now authentication is currency.”
Other experts agree. “We're stuck using 30-year-old technology,” says Steve Kirsch, CEO for OneID, an authentication security vendor. “People keep using the same password security and expecting a different result. When you have something this fundamentally insecure, it's not a question of if, but when you will be breached.”
The problem with passwords “is that they pit our memory against the computer's brute force, and we're reaching a point, as computers get stronger, where our memories just can't hold up,” says Brennen Byrne, CEO of Clef, a mobile authentication startup. “This is a long-term problem. An incredibly important part of the internet is about to fail.”