One of the challenges with securing your credit card data is that once you engage in a transaction, you’ve given away the very thing you want to secure.

The entire principle of a credit card involves divulging data that has value to a third party (in exchange for goods). As a consumer, you have absolutely no way to track who has access to that data after it leaves your possession.

It’s a problem when you buy stuff online, when you pay for food at a restaurant, or when you make a political donation. This problem is somewhat mitigated by the requirements of the PCI Data Security Standard and the PCI Council.

All of these same issues exist with password authentication. Using a username and password to authenticate is a transaction where you turn over something of value in exchange for some goods. You have zero assurance about what happens to that data after you hand it over.

You might have some confidence that a large company with a strong brand wouldn’t blatantly mistreat your precious password, but frankly, that’s pure justification. Code is code, and people are people.

This article from Deloitte provides a good description of the risk.

How do passwords get hacked? Most organizations keep usernames and passwords in a master file… So far, so secure. However, master files are often stolen or leaked.

A hashed file is not immediately useful to a hacker, but various kinds of software and hardware, discussed in this Prediction, can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers.

The fact is that it doesn’t matter how strong your password is (well, it might, a little) because you have no guarantee how it’s treated and stored after the fact. What do I mean?

Here’s an example of Microsoft only looking at part of the password you enter, so even if you entered a very long password, it wasn’t being used. This is what I mean when I say you have no guarantee how your password is treated after you hand it over.

There are two solutions to this problem. The first is to drive transparency through the process. The use of user verifiable standards and open source authentication and identity mechanisms could solve this problem.

The use of a personal password vault is something you can do today to take a little control of your credentials and prevent a Facebook compromise from creating a personal financial crisis.

The second solution is to stop using passwords as the primary means of authentication. Solutions that employ multiple factors are starting to appear, but we’re a long way off from pervasive use.

 

Title image courtesy of ShutterStock

Categories: IT Security and Data Protection, ,

Tags: , , , , , ,


6 Comments

Leave a Reply

Tim Erlin

Tim Erlin has contributed 11 posts to The State of Security.

View all posts by Tim Erlin >