There has been a lot of talk about Internet security recently, especially with Wikileaks releases and the hacking of prominent websites, including Gawker Media, McDonalds, and many others. In fact so far this year, there have been hundreds of reported security breaches and millions of records stolen. This includes banks, medical centers, doctor’s offices, government offices, and corporations.
From a data management application development standpoint, there is a lot that could be written about defending and protecting systems from attacks, including protecting from SQL injection attacks, data storage security methods, and many, many others. However, I also think that there are more fundamental security and privacy issues that may need to be resolved first.
Security and Privacy
The essence of computer security is really a philosophical debate: how much privacy and anonymity do we want to trade for security?
The fact is that protecting our own security is fairly easy, if we are willing to take the necessary steps, but we would lose a lot of online privacy and anonymity in the process. The technology exists to provide users with a single secure log-in that can be used over a broad range of websites, which could be attached to physical verification devices, such as biometric scans, key-generators, or other methods which would make stealing these ID’s extremely difficult.
This would be like an enhanced version of Facebook Connect, which allows you to log in to hundreds of websites using a single login. Of course, Facebook isn’t the only one with such a service, as Microsoft®, AOL, Twitter™, Yahoo®, Google™, Apple® and many others have all at one time launched some kind of “web-ID” system that would give users a single ID that they could use across the Internet.
The problem is that in doing so you give a massive amount of information to whatever service you use to log in to those services. So, for example, Facebook Connect tells Facebook about every site you visit and much of your online viewing habits.
In using these services, you gain some security and convenience, but you lose anonymity and privacy. Of course, it is your choice, and you are able to decide one or the other, but the challenge is that often we want to have both.
The Weakest Link
The weakest link in most security systems is the user. For example, a 2009 security breach of the popular online site RockYou revealed over 32 million usernames and passwords. Of those, over 20% of users shared the same 5000 passwords. These passwords were neither creative nor secure, and included things like “12345”, “123456”, “password” and “abc123.”
The fact is that we tend to use very common and not-creative passwords. With the list of the 5000 most popular passwords, hackers could essentially crack 20% of accounts in a matter of minutes, or hours at most. In fact, the Conficker worm uses a list of 200 common passwords to break into corporate networks, and is nastily persistent in its ability to spread.
Even tech savvy users tend to fall into these mistakes, as shown by the Gawker Media hack which also exposed millions of passwords. As reported by the Wall Street Journal, the most popular passwords were still “123456,” “password,” “qwerty,” and other equally popular terms.
Expanding further, according to a security study by Sophos, 33% of people use the same password for every website they visit, and 48% said they only use a handful of different codes.
So what is the weakest link? The weakest link is you and your email account, which tends to be tied to every other account online. Using weak passwords on forums or news sites may not be especially damaging, however if using the same, similar, or equally weak passwords for you email accounts can expose you to much more damage.
If a person gains access to an email account that was linked to your bank account, social media accounts, retirement accounts, business logins, or any other important and private account, they could take control of those accounts as well simply by resetting the password on those accounts, and changing the email address associated with those accounts, and you’d never know your accounts were compromised until you tried to log in, which gives them a couple days or more to do damage.
The biggest change to online security will come through a societal shift in how we view online security. In general, people are deciding that security (ensuring people are who they say they are, and that they have the proper login credentials) is slightly more important than maintaining full anonymity or privacy.
Of course there are still plenty of privacy issues and nuances, which will need to be resolved as well. But even though key-fobs and biometrics work well for single-site logins, but multiplying that by the dozens or hundreds of websites you visit creates many other problems.
Single web-ID logins (like those offered by Facebook, VeriSign™, Google, Microsoft, or others) with the addition of key-fobs or biometrics may become the best choice for security, even if it means we lose a bit of anonymity and privacy in the process.