• Follow us

Internet

Leaked passwords are only the tip of the iceberg when you trust a central authority

Recently, it was reported that over 600 million user passwords were maintained in clear-text within application logs at Facebook. Facebook has since announced that they will notify each user affected and will fix the problem. While the company is not aware of any malicious access to these logs and claims that only Facebook developers have access to the data, there may be no way to tell if the logs with clear-text passwords have ever been hijacked or not. After all, stolen usernames and passwords are not used only against the target website for malicious intent – they are often the keys for the fraudsters to access even more important websites such as bank accounts, e-commerce sites and other services where the same passwords are used by users. A simple search on Google will show studies that claim 52 per cent to 80 per cent of users use the same passwords for all of their online services. For many other users, only a handful of passwords are rotated between different sites as managing and remembering them is difficult.

It is unreasonable to think that a company like Facebook would purposely expose user passwords in Application logs or any other method. However, Facebook, similar to other services that have faced similar mistakes such as Twitter and GitHub, are software companies where large teams of developers write software-programs to enable the services. Invariably, they will have inadvertent bugs or oversights that cause such exposure of user identity information.

The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally identifiable information along with authentication credentials (e.g., a password) are shared with central services, such as Facebook, with the inherent trust that they will do the right thing in protecting our data. Once these services receive this data, the user no longer has control over what happens to that data. Any weakness in the central service’s security can expose the user data and allow it to be compromised. We have seen this story played over and over again with hundreds of millions to billions of user identity information breached and stolen by hackers.

The problem is that our existing username and password paradigm necessarily depends on a central service provider to maintain copies of our identity credentials and require us to trust them in the exchange of that information, usually in-the-raw over SSL, for them to validate and authenticate us. While the SSL connection may be partially secure, the service providers gets clear-text access to the data and passwords. It is then up to them – not us – to control and maintain the security of that data.

Each service provider in-fact owns our identity for their service – we are merely users of that identity. If they own it, it can be stolen from them.

Leaked passwords, then become only the tip of the iceberg. With stolen passwords, fraudsters will be empowered to identify themselves as real-users and go well beyond authentication. They will be able to authorise transactions, access multitudes of services, get access to credit card and other payment information and in many cases, even change second factors.

User-owned identity – the future

In recent times, there has been much discussion on user-owned identities through what is often referred to as distributed-identity. This is where the user ID information and credentials that can prove that unique ID is maintained on the user’s device and not on a central server. The credentials use private/public key mechanisms where the private-key is maintained on the phone only and is never shared - service providers verify the user using only the user’s public-key. Furthermore, the identity of the user can be certified by a service provider to verify the user. The certifications once again are not trusted to a central server, but a Distributed Ledger Technology (DLT) that is also referred to as a blockchain.

This approach eliminates the need for both usernames and passwords. The combination of the private-key and the certifications on the DLT inverse the ownership of the user’s Identity – service providers are no longer the stewards and owners of the ID, they merely validate it. Since they never get a copy of the private-key, they can’t store user’s authentication codes that a hacker may get access to in a breach.

This distributed identity mechanism can go beyond authenticating a user, and in fact allow the user to maintain other attestations and certified data that is kept with them – encrypted on their personal devices – and only shared with their explicit permission and action with parties they choose to. This is in complete contrast to providing permission to a service-provider to share a user’s data with another third-party as a proxy. Distributed identity can remove the need for the trusted middle-man and give control of data sharing, authentication and information claims to the user. This increases both security and user privacy.  Distributed identity doesn’t simply provide a protocol for a more secure environment to protect passwords – it eliminates it altogether.

Bridging the future

While distributed identity may sound like the right solution to solve incredibly big problems, it is disruptive as compared to current implementations and hence requires change in order to adopt. While new services can incorporate such solutions easier, existing, large-scale solutions face more difficulties. Not only will the existing infrastructures have to change their existing implementations, they also need to train their users to adopt a new way of managing their identities and motivate them to migrate. This causes an unavoidable obstacle to adoption.

It is therefore important to create bridges between distributed-identity solutions and existing paradigms that rely on usernames and passwords.

By incorporating SAML and OpenID standards that integrate with existing enterprise Single Sign On (SSO) services, companies can adopt distributed identities without writing any code and have their staff use the same portals to access their services, but without usernames and passwords. This opens up the path to much greater usage of the identity used with the SSO to extend to consumer uses and beyond. In this approach, SAML and OpenID are simply a bridge to a more secure interface today and expanded use of identity in the future. This is done while eliminating the need for storage or exchange of passwords altogether.

With the increasing number of compromised passwords and user identities, it is no longer an option to simply build taller walls to secure those identities – a new approach is needed. Distributed Identity has that promise.

Armin Ebrahimi, Founder and CEO, ShoCard

Read More



Leave A Comment

More News

Latest ITProPortal news

Foxconn president resigns to run for office 2019-06-21 08:00:29He wants to focus on his presidential campaign.

Google confirms it's leaving the tablet business 2019-06-21 07:58:09It's throwing everything it has into the laptop business.

US city votes to pay ransomware demand 2019-06-21 07:30:31Riviera Beach can't catch a break.

iPaaS: The true digital transformation enabler 2019-06-21 07:00:33At the heart of any digital transformation project is the same principle – getting access to data and managing that data effectively.

5G can help start ups compete better 2019-06-21 06:30:585G could give birth to a whole new wave of start-up businesses, who would leverage the technology to compete better against well-established players i

Leaked passwords are only the tip of the 2019-06-21 06:30:45The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally id

The rise of voice commerce 2019-06-21 06:00:46This is a burgeoning trend that could be a huge market in the very near future.

IT issues creating workplace "black hole" 2019-06-21 06:00:33Employees are losing hours fixing stuff around the office.

GDPR compliance: is your business at risk of 2019-06-21 05:30:57Since the introduction of GDPR last year, small businesses have faced increased pressure to develop and alter their existing policies in line with the

How continuous deployment can help you keep pace 2019-06-21 05:00:10With every company now a software company, here's how continuous deployment makes you stand out from the crowd.

Keeping up with digital transformation: Is your ERP 2019-06-21 04:30:46Digital transformation need not be a scary term, but the foundation of your ERP strategy.

Why the jewellery sector is in major need 2019-06-21 04:00:07How blockchain and modern technology has helped to change the way the sector is functioning.

TechRadar: Internet news

Shenmue 3: release date, trailers and news 2019-07-03 13:36:18Here's all we know about the long-awaited Shenmue 3 so far, with the latest trailers.

The best Ultrabooks 2019: top thin and light 2019-07-03 13:35:34We've put together a definitive list of the best Ultrabooks.

Nvidia GeForce RTX 2060 Super vs RTX 2060: 2019-07-03 13:33:13How much has the RTX 2060 Super improved upon the original RTX 2060? We investigate.

How to get rid of spyware forever 2019-07-03 13:30:45Tactics for keeping spyware at bay vary by device and operating system. However, having antivirus installed are prerequisites.

The best gaming PC 2019: 10 of the 2019-07-03 13:07:14Equipped with the latest processors and graphics cards, these are the best gaming PCs of 2019.

Chinese officials reportedly installed spyware on tourist phones 2019-07-03 13:05:26Border agents have begun to snoop and install spyware on the smartphones of travelers trying to enter China's Xinjiang region.

The best monitor 2019: the top 10 monitors 2019-07-03 12:41:29We've dug deep to find only the best monitors in the US, UK and Australia.

Leaked image hints Nintendo Switch mini is in 2019-07-03 12:37:29Leaked images of a Switch Mini cover suggests the new Nintendo Switch will be a more compact version.

Disney Plus price, release date, shows and movies 2019-07-03 12:33:59Disney Plus will include exclusive shows and movies from the Marvel, Star Wars and Pixar universes – as well as The Simpsons.

Samsung Cloud storage: Everything you need to know 2019-07-03 12:33:34Check out the cloud storage option that’s present on all Samsung smartphones and tablets.

Dell Black Friday in July sale: deals on 2019-07-03 12:32:20The Dell Black Friday in July sale has begun, and it's a Prime Day preview for laptops, TVs, desktops and more.

Best processors 2019: the best CPUs for your 2019-07-03 12:31:05We’ve hand-picked the 10 best CPUs to get your PC running around at the speed of sound.

TechCrunch » Enterprise

Attend TC Sessions: Enterprise and score a free 2019-07-11 16:00:31We can’t wait to dig into the competitive, high-stakes world of enterprise software at TC Sessions: Enterprise 2019 on September 5 at the Yerba

Microsoft says Teams now has 13M daily active 2019-07-11 15:00:14Teams, Microsoft’s two-year-old Slack competitor, is the company’s fastest-growing application in its history. That’s something Micr

Andrew Ng to talk about how AI will 2019-07-11 12:49:37When it comes to applying AI to the world around us, Andrew Ng has few if any peers. We are delighted to announce that the renowned founder, investor,

Swit, a collaboration suite that offers ‘freedom from 2019-07-11 09:00:53A marketplace dominated by Slack and Microsoft Teams, along with a host of other smaller workplace communication apps, might seem to leave little room

OneTrust raises $200M at a $1.3B valuation to 2019-07-11 08:17:13GDPR, and the newer California Consumer Privacy Act, have given a legal bite to ongoing developments in online privacy and data protection: it’s

Signavio raises $177M at a $400M valuation for 2019-07-11 07:11:05Robotic Process Automation has been the name of the game in enterprise software lately — with organizations using advances in machine learning a

SAP CEO Bill McDermott will join us at 2019-07-10 12:15:07You can’t talk about enterprise software without talking about SAP, the German software giant that now has a market cap of more than $172 billio

Anvyl, looking to help D2C brands manage their 2019-07-10 08:30:52Growing D2C brands face an interesting challenge. While they’ve eliminated much of the hassle of a physical storefront, they must still deal wit

Visa funds $40M for no-password crypto vault Anchorage 2019-07-10 08:00:12Visa and Andreessen Horowitz are betting even bigger on cryptocurrency, funding a big round for fellow Facebook Libra Association member Anchorage&rsq

Box CEO Aaron Levie is coming to TC 2019-07-08 13:00:57Box co-founder, chairman and CEO Aaron Levie took his company from a consumer-oriented online storage service to a publicly traded enterprise powerhou

Grasshopper’s Judith Erwin leaps into innovation banking 2019-07-08 12:01:01In the years following the financial crisis, de novo bank activity in the US slowed to a trickle. But as memories fade, the economy expands and the po

15Five raises $30.7M to expand its employee development 2019-07-08 10:17:02Technology has been used to improve many of the processes that we use to get work done. But today, a startup has raised funding to build tech to impro


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.