Page 162 - Cyber Defense eMagazine December 2022 Edition
P. 162
The end of the passwords
While foreign espionage groups have been using free USB sticks and phone chargers to install
keylogging software on target computers for a while, this technique would only continue to work if
passwords remain the most important method of validating users. It can certainly be problematic for
online businesses and an even larger problem for businesses and government organisations if they
handle sensitive information.
Alphanumeric passwords are not only the standard for logging into websites, but in thousands of other
places, including PIN numbers used in bank cards, unlocking phones and in entry keypads. Someone
peering over your shoulder could quite easily access your bank account, phone (and with it every other
password stored on it) or even your home or office.
Alphanumeric passwords are also far more likely to be compromised by an eavesdropper or ‘social
engineer’ rather than by hacking. Common encryption standards like RSA would take trillions of years to
‘brute-force’ passwords, so techniques like phishing were used in high-profile penetrations like the 2016
DNC hack. Increasing the complexity of passwords and mandating that each one be unique will only
make passwords so complex that most people won’t be able to use them.
Two-factor or multi-factor authentication increases the security of password-based systems by adding
other factors. However, it is rarely used due to its multileveled complexity. Thus, almost every
compromised Microsoft account didn’t use multi-factor authentication even when it was available.
The rise of biometric security
Biometric security has been around for as long as alphanumeric passwords and arguably earlier, since
recognising somebody by their face has predated writing. Modern biometrics such as fingerprint security,
facial recognition and behavioural biometrics have become integrated into everyday life.
Despite it being easier and more secure than alphanumeric passwords, biometric authentication may still
rely on information being sent from one place to another (a fingerprint reader sending a user’s fingerprint
to a cloud server where it will be verified), and although it will be encrypted during transit. If the fingerprint
reader or even the cloud server at either end is compromised, for example, then biometric security may
still be exploited.
Many of us will already use fingerprint security to unlock our phones, and an increasing number of us will
use Near Field Communication (NFC) at least somewhere, whether that is using your phone to pay for a
purchase, unlocking a door with a key fob or logging into sensitive systems (the NHS uses NFC cards to
log users in to their computer network, for example.) The FIDO security standard allows users to use
NFC or USB keys to log in to websites, meaning that only a key holder would be able to log into an
account. Of course, an NFC key card can be used by anyone, and there is no way of verifying that the
person using a key is its correct user without another form of verification.
Quantum computers being developed could break the cryptography used in passwords in a matter of
days or even hours, whereby contemporary computers could not. Therefore, every piece of data would
Cyber Defense eMagazine – December 2022 Edition 162
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.