Once again, another tech behemoth has fallen prey to a massive security breach. Adobe just experienced one of the largest password attacks ever, leaking sensitive information of over 152 million Adobe customers. That data includes encrypted passwords that security researchers found easy to compromise — in fact, so easy, that someone made a crossword puzzle out of the compromised passwords.
Passwords are broken. The only way to fix them is to replace them outright; but don’t be fooled: the password problem isn’t just an implementation issue. It raises a fundamental question on the nature of the web: what does identity online even mean?
Passwords have so many issues that it is difficult to justify their continued use. When developers create their own password systems, they tend to mess up. Adobe themselves did — although they encrypted the passwords, they stored users’ password hints in plain text, allowing intruders to crack a huge number of passwords.
Software developers often fail to even obfuscate passwords properly. Sometimes they choose weak algorithms like MD5; often they fail to “salt” passwords properly. Even worse, systems should destroy passwords so they can’t ever be revealed, but some don’t do that at all (I’m looking at you, http://gostanford.com/. Your “Forgotten Password” dialog shouldn’t email me nor be able to find my password! Shame on you, Stanford Athletics.).
Users also play a part in compromising password systems. People tend to choose horribly insecure passwords, as evidenced by the top 20 passwords from the Adobe leak. And that’s not even getting into phishing and social engineering.
Additionally, every website has a separate password system, and because they are unwilling to work together with other websites for a common identity solution, they ask you to come up with a different password for every site, advice that most people ignore (people, just use one password service already!).
On top of that, either because software developers want to force users to use secure passwords, or because they lack the technical competence to sanitize data before storing it, websites set stringent and inconsistent rules for what characters are allowed in passwords and how long they have to be, frustrating users to no end.
In business terms, many users refuse to even try services because of annoying and disparate password systems. The madness has gone too far.
But fundamentally, what do username-password systems imply? Since a username and password have no direct relationship to one’s “real life” identity, it suggests that people “own” identities online. Digital identity is nothing more than property. It can be traded, and users are responsible for protecting their identity online.
This loose relationship makes the need for users to come up with and remember confusing and diverse passwords both obvious and necessary — if someone else knows your credentials, then they literally are you in the eyes of most web services. Because some services, like social networks and e-commerce, straddle the interface between the virtual identities you own and your real identity, a system like this produces difficult security issues to solve.
It’s not all bad news, though. By making identity an object that one owns rather than a piece of one’s actual identity, users can protect their privacy by dissociating their online activities from their reputations. That disparity encourages people to speak and act freely on the web.
Many large Silicon Valley companies like Google, Facebook and Yahoo push “federated identity” as a replacement for passwords. The term refers to single sign-on solutions like Facebook Connect or OpenID-compliant systems like the Google, Yahoo and StackExchange login systems. Indeed, these systems offer convenience, speed and security by allowing users to sign on without creating and keeping track of many passwords, and developers can use the heavily tested and scrutinized login systems that Google and Facebook provide.
But there’s a problem: companies like Google and Facebook want to know who you really are. Both companies instated policies years ago requiring that users disclose their real names, and they also request personal information like your phone numbers and bank accounts.
Using federated login with accounts that are tied to your real identity fundamentally breaks the separation of your virtual and physical identities. It allows increased surveillance of your behaviors throughout the web, threatening the protection of free speech and the process of innovation online.
Free Software Foundation Chairman Richard Stallman explains that in the modern era, the maintenance of democracy depends deeply on anonymity. If whistleblowers cannot remain anonymous, it becomes difficult to hold governments accountable for their transgressions.
So what’s the solution? Federated login isn’t necessarily the problem; it’s the fact that Facebook and Google connections are so ubiquitous, those companies are determined to mind your real identity, and users are generally uneducated or passive about the security issues at hand. Developers ought to offer logins through OpenID providers that don’t try to identify you whenever they can, and users need to be more cognizant of the information they disclose when they click the Facebook Connect button.
Even better, though, would be a fully peer-to-peer identity network. If no central authority owns your identity, then ideally nobody could snoop on it. Following the trend of distributed systems like Bitcoin and BitTorrent, maybe the concept of identity online can be decentralized as well.
The next time you make an account online, or build a website with an account system, don’t use passwords. More importantly, think deeply about the choices you make; the future of our society depends on it.
Contact Omar Diab at [email protected]