The password is dead: security expert

Numerous online companies have had private user information compromised
Logo compilation

Hackers have recently exposed thousands of usernames and passwords on the Internet. Two of the most recent breaches include Yahoo Mail and Bell Canada.

This has called into question the security of passwords all together.

Cyber security expert Jose Fernandez of l’école Polytechnique said as long as passwords, encrypted or not, are stored in databases, hackers will inevitably be able to gain access.

"The password, as we know it, is dead," he said.

Fernandez vows two-factor authentication is the key.

“You would you a device or a phone, and that phone generates a one-time password, it’s a code that changes every minute,” Fernandez said.

That code would be used in conjunction with your password, so even if your password is revealed, a hacker could not gain access without your rotating security code.

Some services use two-factor authentication already, like Google, Facebook and Twitter, but all services use different tools and platforms, making the whole process unfriendly.

“We want, as users, to have one app on the phone in which we have a code for my Google, Facebook, Twitter and for any website that I log onto.” Fernandez said. “Right now, there is not a standard that has imposed itself.”

Fernandez said for any standard to be established, competitors would have to band together.

Companies who hold confidential user information, like how retailers collect credit card numbers, could do more to protect private data, Fernandez said.

“They’re not feeling the legal actions, and they’re not feeling the financial pain,” he said, so they’re not investing enough and hiring the right people to build the fortress around their servers.

A recent private-member’s bill to amend the Personal Information Protection and Electronic Documents Act was put forward in the House of Commons, but was defeated by the Conservatives during second reading on January 29th, 2014.

Leave a comment:

showing all comments · Subscribe to comments
  1. Ken Jennings posted on 02/04/2014 12:43 PM
    Well spoken Jose.

    I think that we do not have to go as far as 2FA to solve the problem for most of the people.

    Just eliminating the storage of STATIC passwords with One Time Passwords tools like URQUI and Clef would go a LONG way to stopping hackers
  2. Miranda posted on 02/05/2014 12:30 PM
    I cannot agree more with Fernadez about the necessity of a two-factor authentication solution. However, you should be careful as to which 2fa solutions you’re using because many are in-band, which mean they are still vulnerable to man in the middle attacks (MITM). The only way around MITM is 2fa solutions that are out of band. And yes, most 2fa systems are annoying for the user, like Google Authenticator and Facebook (which are also in band). I found a company who does it right, Toopher! They have the most user friendly solution I have experienced so far. It’s like they shaped the whole process around making the user actually WANT to use it. Toopher has an option to automate authentication that is seemingly invisible to the user. I absolutely love it! If you happen to use WordPress or LastPass you should try out the Toopher plug-in and see for yourself!
showing all comments

Share this article: