Recently, the Heartbleed vulnerability was discovered in the OpenSSL cryptographic library. While no incidents of malicious exploitation of Heartbleed have (yet) been reported, it did take the internet by a storm, simply because OpenSSL happens to be way too popular. Almost every other entity, from social networking giants like Facebook to popular domain registrars and web hosting providers as well as SaaS promoters use OpenSSL, and thus, Heartbleed affected one and all.
However, while there is a lot to be learned from and talked about Heartbleed, it did bring to the fore a security issue that should ideally be termed obsolete, but isn’t — the use of passwords as an authentication mechanism. In this article, I will discuss the importance of finding an alternative to passwords in internet security and ways in which effects of issues like Heartbleed could be minimized.
The Generic Response To Heartbleed
Most providers and brands were quick to react to the Heartbleed threat and OpenSSL updates were implemented at the earliest possible instance. However, what followed thereafter was more of a disappointment.
Basically, having updated OpenSSL instances, almost every other provider emailed their users to update or change their respective passwords, lest they be compromised.
This is where everything goes amiss.
Quick, tell me, how many websites do you have passwords on? 200+? Where do you store your passwords? A password manager? Web browser? Or you follow the ill-advised but sadly common procedure of using a common password for multiple sites?
In any case, how does one go about changing passwords all over the internet? I stopped using a password wallet long time back, and last I checked, it told me I had 162 passwords in there.
As such, when any brand or provider emailed their users asking them to update their passwords, they knew full well that most users will not bother changing the passwords. Not because of laziness; not because people do not wish to; but simply because there are way too many passwords per user that need to be changed.
This response was disappointing, and it brought to the fore a very overlooked but mighty important aspect of web security: passwords have been around ever since computing was born. It is time for a change. Passwords have become obsolete and outdated.
Passwords Need To Go
The very logic behind the concept of passwords no longer fits in the present-day internet. Sure, I highly doubt that any sane person will employ a single-word password, or write down their passwords, or use their girlfriend’s date of birth as the login password for their bank account, and so on. Yet, even the most strongest of passwords have just that one basic flaw: if they are compromised, you’re gone. As simple as that!
Therefore, passwords need to either be cured, or eliminated. Relying on a simple pass-phrase for login and usage is just too unsafe, and with security threats rising faster than we would like to think, it is in everyone’s best interests to fix the passwords’ crisis.
How? Here is the answer!
We need not look far to find a cure because we seem to have already discovered it.
Two-factor authentication is the way out, albeit with some changes.
As of now, many services, such as Google, offer two-factor authentication to their users. Basically, you enter your username and your password, and thereafter you are sent a pass-key via text or voice call to your mobile phone, which authenticates you for that session. Quite obviously, a malicious hacker can at best guess your password — he/she is not going to have physical access to your phone that easily, so your account remains secure.
We can build upon this method in anyway we deem fit. For example, voice call or text message can be replaced by email pass-keys too, and so on. The logic here is not to make the login process bulkier, but to simply reduce the excessive reliance on the importance of passwords.
Similarly, one-time authorization codes can be sent via email/SMS/voice call to the user, and once the user access the authorization code, a login token can also be generated for that given device for that particular user. Imagine this system being in place? How would the world have reacted to Heartbleed then? Simply discard all existing login tokens, such that each user just needs to login again via a new authorization code! That’s all! No passwords to be changed.
Heartbleed, thankfully, was not as damaging as it could have been. However, it is high time the world reconsidered the usage of passwords. Once again, maybe we do not need to eliminate all passwords overnight, but we should highly consider a more one-time alternate method of authentication, possibly via mobile devices or email, etc. With services such as Mandrill and Twilio rising in popularity, implementing this mechanism hardly has any rocket science involved.
Certain hiccups do exist, though, such as the time when a user needs to change their phone number, etc. However, a work-around can always be found by allowing the user to add multiple phone numbers and/or email addresses, or possibly using services such as Skype or Google Voice for authentication calls, and so on. The point is clear: when it comes to online security, authenticating by means of a device that you have with you almost all throughout the day has proven to be much better than simple login via a generic password. Google has stressed the importance of two-factor authentication as well, so a password-free mechanism is definitely the way forward!
What do you think of Heartbleed and the resultant issues? Got any security ideas of your own? Share them with us using the comments below!
Image Credits: Simon Lieschke