“I would love to kill the password dead, but I don’t know what we can replace it with that would be viable now,” said Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory, which has studied passwords.
Hackers send “phishing” emails or make phone calls to fool people into giving up their passwords, or use sophisticated software to flood systems with educated guesses.
According to last year’s federal indictment of five members of China’s People’s Liberation Army, that country’s cyberespionage Unit 61398 “stole the usernames and passwords for at least 7,000 employees” of Allegheny Technologies Inc., a specialty metals company headquartered in Pittsburgh, “allowing them to monitor activity on those systems and to steal ATI’s information in the future.”
“The beauty of the password hack is, it’s not elegant,” said David Kane, CEO of Ethical Intruder, a Pittsburgh company that helps clients find vulnerabilities to hackers. “But if I get the password of the CEO, people will never know that I hacked into the system.”
Though the five Chinese hackers have not been arrested, the indictment handed down by U.S. Attorney David Hickton was heralded at the conference as an important warning shot. However, it hasn’t awakened every corporate IT department to the vulnerability of password-protected networks.
“Unfortunately I think companies are probably pretty far behind in actually making that big switch” from passwords to more advanced network security, Kane said.
Technologists all over the world are floating apps that unlock your phone only when they see your face, fingerprint readers and retina scanners that connect to PCs, and wearable devices that automatically fill in your passwords but lock your computer when you step away. All have weaknesses.
“People are wary of the fingerprint. They’re wary of the eyeball scan,” Kane said. “It already has been proven with biometrics that if somebody can lift your fingerprint” they can enter your print-protected accounts.
There’s no guarantee that a fingerprint, once digitized, stored on a device and transmitted, can’t be snatched by a hacker, said Jeramie Scott, national security counsel for the Electronic Privacy Information Center.
“Unlike a password, once a biometric is compromised, it can’t be changed. That’s it,” Scott said. “We don’t want to trade off one privacy issue for another.”
He also worried about the potential for “mission creep.” If we all use our faces to unlock our phones, for instance, what’s to keep corporations or the government from using that database and the growing network of cameras to track our movements?
For the full story: http://www.govtech.com/security/Are-Biometrics-the-Future-of-Data-Security.html