Link/Page Citation
Summary: TEHRAN (FNA)- The right time to tell me my password hasbeen exposed is before I use it; this extension can help.
By this point, it's more likely than not that at least one ofthe accounts you use online has been compromised by a data breach. Maybeyou've heard of Have I Been Pwned? and you've gone and lookedto see which of your accounts have shown up in a data breach, or signedup to get notified when they do. Maybe you got an official notificationfrom one of those breached services that an account of your has beenaffected; maybe you didn't - or maybe you got a notification sovague that you can't tell if your account was affected to not.
Even if your account hasn't been leaked by poor security at awebsite, lots of people use the same bad passwords (like 123456,password1 and qwerty) so if you pick one of those, your password couldbe compromised without your account having been leaked.
There's a 30GB database of half a billion leaked passwordsthat web sites can use to see if a user is creating an account using aweak password that's already shown up in a breach.
Okta's new PassProtect library makes it easier for web sitesto use Have I Been Pwned to check whether user passwords are unsaferight when you type them in to log in to your account - which is themost useful time to get a warning, because you're not going toforget to change it. And making it easier for developers to use theservice makes it less likely that they make a dumb mistake and end upmaking things more secure.
As not all web sites are going to use either of those, PassProtectis also available as a browser extension (initially for Chrome withFirefox support also planned).
Of course, passing your password around the internet to checkwhether it's safe needs to be done securely. PassProtect usesCloudflare's k-anonymity to check if the password is in the PwnedPasswords database without sending the password, or even the full hashof it.
The extension computes the SHA1 hash of the password, takes justthe first five bytes of that and sends an (encrypted) request to theservice to get a list of the longer hashes that have those first fivebytes. That's an anonymised bucket of passwords that stops amalicious actor using the extension to find out if their guess at yourpassword is correct, and the Pwned Passwords service never gets enoughinformation about a password that isn't in the database to be ableto crack it.
In the long term, moving away from passwords to contextual securityand biometrics will protect us better. That means that when you'retrying to access a really important document you'll need to usemultiple factors like clicking 'ok' on a push message on yourphone or a face or fingerprint scan on a device you've alreadyused, that's up to date on patches and anti-malware protection on aknown network.
But when you're logging into the same site you log into at thesame time every day, from the same physical location using the samenetwork connection and the same IP address, and what you're lookingat isn't unusually confidential, you won't have to type in apassword at all.
Identity services like Azure AD and now Okta support that kind ofcontextual security, because making security more usable makes it moresecure; annoyingly difficult security is what people try to get around.IT policies shouldn't force users to change their password every 90days if it hasn't been phished or stolen from the passworddatabase. As Okta vice president Rich Dandliker put it at thecompany's recent Oktane conference, the number of forced passwordchanges directly correlates with the number of passwords that getwritten down on Post-it notes.
Biometrics and hardware options have their own issues; you can losea hardware key and almost every biometric system from fingerprints toiris recognition to hand vein prints to voice biometrics fails foraround 20 percent of the population (not to mention storing a hash thatmatches the biometric features rather than an image of your fingerprint,since you can't reset your fingers if that database gets breached).
But as these options becomes a standard (through FIDO and the W3C),it's another step away from the ongoing dumpster fire that isinternet passwords. A combination like Windows Hello which falls back toa PIN if the recognition fails is a good compromise - even ifthat's a short PIN, because it's stored only on the PC whereyou register the biometric, and it's stored in silicon. To breakthat, you'd have to steal the PC and type in guess after guessuntil you got it right. As Okta's Alex Bovee said at Oktane,"If as an industry we've reduced the attack surface on ourusers to having to physically steal a device, that's a pretty goodachievement."
Once browsers and web sites support the FIDO and WebAuthNstandards, they can exchange tokens based on biometrics and hardware tolog you in and you won't have to worry nearly as much about whethera site has leaked your password. Until then, an extension likePassProtect is well worth installing.
[c]2018 Fars News Agency. All rights reserved Provided by SyndiGateMedia Inc. ( Syndigate.info ).
COPYRIGHT 2018 SyndiGate Media Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2018 Gale, Cengage Learning. All rights reserved.