PITTSBURGH — High on the White House’s hit list: The series of letters, numbers, and symbols you type in when you access everything from your bank account to your Netflix list.
“Kill the password dead as a primary security measure,” urged Michael Daniel, the president’s cybersecurity coordinator, at the International Conference on Cyber Engagement, held recently at Georgetown University in Washington. As more and more devices connect to the Internet, we need to develop new ways of confirming our identities, he said.
Technologists wonder, though, whether using fingerprints, faces, or devices to log in would help or hurt the cause of data security and privacy. Businesses, meanwhile, have mostly taken a pass on investments that would allow them to move beyond the password.
“I would love to kill the password dead, but I don’t know what we can replace it with that would be viable now,” said Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory, which has studied passwords.
Hackers send “phishing” emails or make phone calls to fool people into giving up their passwords, or use sophisticated software to flood systems with educated guesses.
According to last year’s federal indictment of five members of China’s People’s Liberation Army, that country’s cyberespionage Unit 61398 “stole the usernames and passwords for at least 7,000 employees” of Allegheny Technologies Inc., a specialty metals company in Pittsburgh, “allowing them to monitor activity on those systems and to steal ATI’s information in the future.”
“The beauty of the password hack is, it’s not elegant,” said David Kane, CEO of Ethical Intruder, a Pittsburgh company that helps clients find vulnerabilities to hackers. “But if I get the password of the CEO, people will never know that I hacked into the system.”
Though the five Chinese hackers have not been arrested, the indictment handed down by U.S. Attorney David Hickton was heralded at the conference as an important warning shot.
However, it hasn’t awakened every corporate IT department to the vulnerability of password-protected networks.
Technologists all over the world are floating apps that unlock your phone only when they see your face, fingerprint readers, and retina scanners that connect to PCs, and wearable devices that automatically fill in your passwords but lock your computer when you step away. All have weaknesses.
There’s no guarantee that a fingerprint, once digitized, stored on a device and transmitted, can’t be snatched by a hacker, said Jeramie Scott, national security counsel for the Electronic Privacy Information Center.
The Block News Alliance consists of The Blade and the Pittsburgh Post-Gazette. Rich Lord is a reporter for the Post-Gazette.
First Published July 11, 2015, 4:00 a.m.
