Have you been pwned?
Want to check whether your email has been included in any such credential grab? Then use a free service such as Have I Been Pwned ( haveibeenpwned. com). This will let you know, even if the breached service itself hasn’t been forthcoming with the disclosure.
How does it work? Well, the site compiles a database of information gleaned from breaches where the compromised credentials have been made publicly available, often by the hackers themselves. It doesn’t store the passwords, just the email (or username) associated with them. You enter an email address or username and it informs you if it has turned up in a list, alongside the breach of service with which it was associated.
The site owner performs certain checks for legitimacy before including a breach in the database – for example, whether it’s been acknowledged by the impacted service, if the data has been copied from another source or is fresh to market, the track record of the hackers concerned, and even if the hackers have sufficiently demonstrated the attack vector used.
Microsoft gets it right, almost
On the face of it, Microsoft has responded to the whole LinkedIn story in a positive, if opportunistic, manner. Nobody can blame it for grabbing the media by the horns, and more importantly, the company has taken the opportunity to start getting rid of insecure passwords.
The Microsoft Identity Protection team is to ban commonly used passwords and those otherwise deemed too weak for both regular Microsoft Account holders and users of Microsoft Azure Active Directory services (the latter on a limited private preview basis, I believe, so don’t get too excited just yet).
In reality, it means the dynamically updated banned password list maintained by Microsoft will include common variations found in breached lists, alongside those that don’t meet the secure construction basics.
Interestingly, as I understand it, the blocking database also uses data that’s gleaned from those hackers using brute-force attack methods against Microsoft servers. Given that Microsoft reckons it can easily see 10 million such attacks against the Microsoft account and Azure AD systems on a daily basis, this is a resource that shouldn’t be overlooked.
So why do I say Microsoft has got it only “almost” right? Simple: the kind of “weakpass filtering” Microsoft is employing is only as good as that database it uses. Following the announcement, one researcher found that he could still use Pa$$w0rd1, which shows there’s plenty of work to do in identifying what constitutes a weak password.
Then there’s the small matter of workability, or should I say usability? The secret of security resides in the balance between convenience and complexity. Make user passwords too complex and convenience goes down the pan, which leads us back to the problem I talked about at the start: reusing usernames and passwords on a multitude of services.
Beyond the password
Brian Spector, CEO of authentication specialists MIRACL, hits the nail on the head when he says that “the IT industry needs to get over passwords altogether. They don’t scale for users, they don’t protect the service itself, and they’re vulnerable to a myriad of attacks.”
So where does that leave us in terms of finding the security sweet spot? Two-factor authentication or verification are options that should, I’d argue, always be employed if available. Thankfully, availability in the consumer services realm is beginning to catch up with the corporate side now.
After all, compromised consumer credentials all too often lead to compromised corporate networks. I’m not sure we’re ready to do as Brian suggests and have service providers “move beyond the password and contribute to the restoration of trust on the internet”. I’m certain that biometrics will play a part, though; the smartphone revolution is making sure of that.
How many top-end phones don’t have a fingerprint scanner these days? The technology is even dribbling down the product ranges to the point where fingerprints will soon be as much a user requirement as a camera. That features such as contactless payments via a phone are made easier and more secure with fingerprint scanning will drive that demand.
Whether fingerprints are “the” password-killing biometric tech of the future remains to be seen. This year, I’ve read about something called SkullConduct ( pcpro.link/263bonce),
“Two-factor authentication or verification are options that should always be employed if available”