• Follow us


Leaked passwords are only the tip of the iceberg when you trust a central authority

Recently, it was reported that over 600 million user passwords were maintained in clear-text within application logs at Facebook. Facebook has since announced that they will notify each user affected and will fix the problem. While the company is not aware of any malicious access to these logs and claims that only Facebook developers have access to the data, there may be no way to tell if the logs with clear-text passwords have ever been hijacked or not. After all, stolen usernames and passwords are not used only against the target website for malicious intent – they are often the keys for the fraudsters to access even more important websites such as bank accounts, e-commerce sites and other services where the same passwords are used by users. A simple search on Google will show studies that claim 52 per cent to 80 per cent of users use the same passwords for all of their online services. For many other users, only a handful of passwords are rotated between different sites as managing and remembering them is difficult.

It is unreasonable to think that a company like Facebook would purposely expose user passwords in Application logs or any other method. However, Facebook, similar to other services that have faced similar mistakes such as Twitter and GitHub, are software companies where large teams of developers write software-programs to enable the services. Invariably, they will have inadvertent bugs or oversights that cause such exposure of user identity information.

The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally identifiable information along with authentication credentials (e.g., a password) are shared with central services, such as Facebook, with the inherent trust that they will do the right thing in protecting our data. Once these services receive this data, the user no longer has control over what happens to that data. Any weakness in the central service’s security can expose the user data and allow it to be compromised. We have seen this story played over and over again with hundreds of millions to billions of user identity information breached and stolen by hackers.

The problem is that our existing username and password paradigm necessarily depends on a central service provider to maintain copies of our identity credentials and require us to trust them in the exchange of that information, usually in-the-raw over SSL, for them to validate and authenticate us. While the SSL connection may be partially secure, the service providers gets clear-text access to the data and passwords. It is then up to them – not us – to control and maintain the security of that data.

Each service provider in-fact owns our identity for their service – we are merely users of that identity. If they own it, it can be stolen from them.

Leaked passwords, then become only the tip of the iceberg. With stolen passwords, fraudsters will be empowered to identify themselves as real-users and go well beyond authentication. They will be able to authorise transactions, access multitudes of services, get access to credit card and other payment information and in many cases, even change second factors.

User-owned identity – the future

In recent times, there has been much discussion on user-owned identities through what is often referred to as distributed-identity. This is where the user ID information and credentials that can prove that unique ID is maintained on the user’s device and not on a central server. The credentials use private/public key mechanisms where the private-key is maintained on the phone only and is never shared - service providers verify the user using only the user’s public-key. Furthermore, the identity of the user can be certified by a service provider to verify the user. The certifications once again are not trusted to a central server, but a Distributed Ledger Technology (DLT) that is also referred to as a blockchain.

This approach eliminates the need for both usernames and passwords. The combination of the private-key and the certifications on the DLT inverse the ownership of the user’s Identity – service providers are no longer the stewards and owners of the ID, they merely validate it. Since they never get a copy of the private-key, they can’t store user’s authentication codes that a hacker may get access to in a breach.

This distributed identity mechanism can go beyond authenticating a user, and in fact allow the user to maintain other attestations and certified data that is kept with them – encrypted on their personal devices – and only shared with their explicit permission and action with parties they choose to. This is in complete contrast to providing permission to a service-provider to share a user’s data with another third-party as a proxy. Distributed identity can remove the need for the trusted middle-man and give control of data sharing, authentication and information claims to the user. This increases both security and user privacy.  Distributed identity doesn’t simply provide a protocol for a more secure environment to protect passwords – it eliminates it altogether.

Bridging the future

While distributed identity may sound like the right solution to solve incredibly big problems, it is disruptive as compared to current implementations and hence requires change in order to adopt. While new services can incorporate such solutions easier, existing, large-scale solutions face more difficulties. Not only will the existing infrastructures have to change their existing implementations, they also need to train their users to adopt a new way of managing their identities and motivate them to migrate. This causes an unavoidable obstacle to adoption.

It is therefore important to create bridges between distributed-identity solutions and existing paradigms that rely on usernames and passwords.

By incorporating SAML and OpenID standards that integrate with existing enterprise Single Sign On (SSO) services, companies can adopt distributed identities without writing any code and have their staff use the same portals to access their services, but without usernames and passwords. This opens up the path to much greater usage of the identity used with the SSO to extend to consumer uses and beyond. In this approach, SAML and OpenID are simply a bridge to a more secure interface today and expanded use of identity in the future. This is done while eliminating the need for storage or exchange of passwords altogether.

With the increasing number of compromised passwords and user identities, it is no longer an option to simply build taller walls to secure those identities – a new approach is needed. Distributed Identity has that promise.

Armin Ebrahimi, Founder and CEO, ShoCard

Read More

Leave A Comment

More News

Latest ITProPortal news

Foxconn president resigns to run for office 2019-06-21 08:00:29He wants to focus on his presidential campaign.

Google confirms it's leaving the tablet business 2019-06-21 07:58:09It's throwing everything it has into the laptop business.

US city votes to pay ransomware demand 2019-06-21 07:30:31Riviera Beach can't catch a break.

iPaaS: The true digital transformation enabler 2019-06-21 07:00:33At the heart of any digital transformation project is the same principle – getting access to data and managing that data effectively.

5G can help start ups compete better 2019-06-21 06:30:585G could give birth to a whole new wave of start-up businesses, who would leverage the technology to compete better against well-established players i

Leaked passwords are only the tip of the 2019-06-21 06:30:45The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally id

The rise of voice commerce 2019-06-21 06:00:46This is a burgeoning trend that could be a huge market in the very near future.

IT issues creating workplace "black hole" 2019-06-21 06:00:33Employees are losing hours fixing stuff around the office.

GDPR compliance: is your business at risk of 2019-06-21 05:30:57Since the introduction of GDPR last year, small businesses have faced increased pressure to develop and alter their existing policies in line with the

How continuous deployment can help you keep pace 2019-06-21 05:00:10With every company now a software company, here's how continuous deployment makes you stand out from the crowd.

Keeping up with digital transformation: Is your ERP 2019-06-21 04:30:46Digital transformation need not be a scary term, but the foundation of your ERP strategy.

Why the jewellery sector is in major need 2019-06-21 04:00:07How blockchain and modern technology has helped to change the way the sector is functioning.

TechRadar: Internet news

The best student laptops: all the best options 2019-07-03 14:17:34The best laptops for college students – everything from Chromebooks to the new Dell XPS 13.

GTA 6: all the latest news and rumors 2019-07-03 14:05:37Now that Red Dead Redemption 2's development is over, we can't help but speculate about Grand Theft Auto 6...

God of War 2 PS4: everything we know 2019-07-03 14:04:28We've gathered all the rumors and news surrounding the God of War sequel.

Shenmue 3: release date, trailers and news 2019-07-03 13:36:18Here's all we know about the long-awaited Shenmue 3 so far, with the latest trailers.

The best Ultrabooks 2019: top thin and light 2019-07-03 13:35:34We've put together a definitive list of the best Ultrabooks.

Nvidia GeForce RTX 2060 Super vs RTX 2060: 2019-07-03 13:33:13How much has the RTX 2060 Super improved upon the original RTX 2060? We investigate.

How to get rid of spyware forever 2019-07-03 13:30:45Tactics for keeping spyware at bay vary by device and operating system. However, having antivirus installed are prerequisites.

The best gaming PC 2019: 10 of the 2019-07-03 13:07:14Equipped with the latest processors and graphics cards, these are the best gaming PCs of 2019.

Chinese officials reportedly installed spyware on tourist phones 2019-07-03 13:05:26Border agents have begun to snoop and install spyware on the smartphones of travelers trying to enter China's Xinjiang region.

The best monitor 2019: the top 10 monitors 2019-07-03 12:41:29We've dug deep to find only the best monitors in the US, UK and Australia.

Disney Plus price, release date, shows and movies 2019-07-03 12:33:59Disney Plus will include exclusive shows and movies from the Marvel, Star Wars and Pixar universes – as well as The Simpsons.

Samsung Cloud storage: Everything you need to know 2019-07-03 12:33:34Check out the cloud storage option that’s present on all Samsung smartphones and tablets.

TechCrunch » Enterprise

Equinix and Singapore’s GIC will launch a $1 2019-07-02 00:20:35Equinix, one of the world’s largest data center companies, announced that it will form a $1 billion joint venture with GIC, Singapore’s so

Video platform Kaltura adds advanced analytics 2019-07-01 15:15:26You may not be familiar with Kaltura‘s name, but chances are you’ve used the company’s video platform at some point or another, give

We’ll talk even more Kubernetes at TC Sessions: 2019-07-01 12:00:58You can’t go to an enterprise conference these days without talking containers — and specifically the Kubernetes container management syst

Tara.ai, which uses machine learning to spec out 2019-07-01 06:09:59Artificial intelligence has become an increasingly important component of how a lot of technology works; now it’s also being applied to how tech

Enterprise SaaS revenue hits $100B run rate, led 2019-06-28 11:48:44In its most recent report, Synergy Research, a company that monitors cloud marketshare, found that enterprise SaaS revenue passed the $100 billion run

We’re talking Kubernetes at TC Sessions: Enterprise with 2019-06-27 12:48:01Over the past five years, Kubernetes has grown from a project inside of Google to an open source powerhouse with an ecosystem of products and services

Fellow raises $6.5M to help make managers better 2019-06-27 11:21:30Managing people is perhaps the most challenging thing most people will have to learn in the course of their professional lives – especially beca

Fungible raises $200 million led by SoftBank Vision 2019-06-27 11:00:24Fungible, a startup that wants to help data centers cope with the increasingly massive amounts of data produced by new technologies, has raised a $200

Cathay Innovation leads Laiye’s $35M round to bet 2019-06-27 10:22:46For many years, the boom and bust of China’s tech landscape have centered around consumer-facing products. As this space gets filled by Baidu, A

Amperity update gives customers more control over Customer 2019-06-27 09:03:26The Customer Data Platform (CDP) has certainly been getting a lot of attention in marketing software circles over the last year as big dawgs like Sale

Bright Machines wants to put AI-driven automation in 2019-06-26 11:16:00There’s a mythology around today’s factories that says everything is automated by robotics, and while there is some truth to that, it&rsqu

Vulcan Cyber announces $10M Series A to automate 2019-06-26 09:20:42Many software vulnerabilities are already known, and vendors have even issued patches, but the problem is there are so many patches that it’s of

ExtremeTechInternet –

SpaceX Lost Contact With 3 Starlink Satellites 2019-07-01 14:32:03Losing three satellites in a matter of weeks doesn't sound great, and indeed, it would be preferable if none of them failed. However, SpaceX CEO Elon

Udemy Class Review: Rocket Engineering and Interstellar Space 2019-07-01 13:02:48Udemy’s Rocket Engineering and Interstellar Space Propulsion course provides a considerable amount of information on both topics crammed into a

Microsoft Adds Tracking Prevention to Latest Chromium Edge 2019-06-28 14:07:34The latest feature to appear in a pre-release build is tracking prevention. You'll have to tinker with the settings to turn it on, but the process sh

How Shipping a Huawei Phone Via FedEx Made 2019-06-26 16:11:42How a Huawei phone and a FedEx delivery turned into an international incident. The post How Shipping a Huawei Phone Via FedEx Made International News

Udemy Class Review: The Foundations of Computer Design 2019-06-26 11:01:13We look at Udemy's The Foundation's Of Computer Design course to see how well it performs its job of teaching the basics of computer design. The pos

Firefox Zero-Day Used to Install Mac Malware 2019-06-21 17:43:28Mozilla issued an emergency Firefox patch earlier this week, citing a dangerous zero-day exploit. Because it believed hackers were exploiting the flaw

‘Reset’ Nest Cams Could Still Send Video to 2019-06-21 08:36:26The Wirecutter confirmed with a Nest Cam that, yes, Wink retains access to the camera after a reset. This is the case even if someone else sets up the

A Rogue Raspberry Pi Let Hackers Into NASA’s 2019-06-20 12:26:28NASA’s Jet Propulsion Laboratory (JPL) works with some of the most advanced technology in the world including Mars rovers and space telescopes.

Mozilla Issues Emergency Zero-Day Firefox Patch 2019-06-19 15:50:22Mozilla advises all Firefox users to update to the latest version of the browser as soon as possible. The company has just become aware of a zero-day

Protect Your Online Privacy With the 5 Best 2019-06-17 12:21:48Investing in a VPN is a smart choice right now, but the options are vast. To help narrow things down a bit, we've rounded up five of our very favorit

People Aren’t Patching for the BlueKeep Windows Exploit, 2019-06-06 13:32:22Now even the NSA is getting worried that the so-called BlueKeep flaw could result in a dangerous worm that spreads across the globe, wreaking havoc on

Microsoft Says Forced Password Resets Don’t Improve Security 2019-06-04 13:07:28For decades, the baseline password practices Microsoft provided to customers suggested forcing employees to change their passwords every 60 days. Acco

Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.