Why I am not surprised
by Eugene Shablygin, on Mon 18 February 2019
Is our world insane? How many times must people be hit by the same problem to start thinking differently?
Whether we admit it to ourselves or not, we all like news. Sure, today’s media over-represents negative aspects of our reality until we get depressed about how the whole world has gone mad, the opposing political party is running the country into the ground, the planet is dying and humanity is on the brink of extinction -regardless of the reality. However, even if we’re trying to avoid it, we all have an addiction to attention grabbing headlines in one form or another. On some level, living without the news is like being an ostrich who buries its head in the sand. Although avoiding the unpleasant aspects of our reality can allow us to feel more safe, comfortable, positive, and optimistic, it leaves us vulnerable. It also creates an information vacuum, which is hard to resist filling when the right headline comes along. Whether it’s a new tragedy, scandal, or the outcome of the big game, sooner or later we’ll be unable to resist. For me, these irresistible headlines come in the form of cybersecurity incidents and news about data breaches. These breaches keep getting bigger and bigger, costlier and costlier, and create more and more pain for more and more people. After watching people make the same obvious mistakes over and over, I can’t help but wonder how much longer everyone will continue to repeat this insanity.
Recently, Wired reported that hackers are passing around a megaleak of 2.2 billion records. From the security perspective, despite its huge size, it's not a really big deal. Even without this particular collection, the bulk of the published leaked credentials were already in the hands of the "bad guys" for a long time. It doesn't bother me that, with this event, more data fell in the hands of novice hackers. They use it to hit easy targets, and that is exactly what is happening across the globe. Some companies acknowledge that they are under attack. Recently, Basecamp experienced a mass-login attack and had to remind all their users to protect themselves (smart move!), but most don’t bother, or most likely, don’t even know.
The problem is -- with all these "smart moves" people are still trying to mask symptoms without curing the disease itself. What are the recommendations we hear again and again and again? Change your password! Make it stronger! Use second factor! The problem is -- these methods do not work. If they did, then the number and severity of breaches would go down, not up.
Indeed, Wired nailed the essence of the problem, although they didn't emphasize it. Take a look at what was leaked and used to breach thousands of companies -either in the past, right now, or in the future. This is a "collection of 2.2 billion unique usernames and associated passwords". You see? “usernames and associated passwords,” Not passwords alone. It is the combination of information, used to first identify the user, and then verify him or her.
This is the disease of our contemporary user management ecosystem -- the use of usernames and passwords as a method for identification and verification. As long as these “infected” systems ask you to type in "something you know," the bad guys can and will know it too, probably even better than you. Change your password after a breach? You should, but you will remain vulnerable because your username is out there, and no SMS, push notification or one time "random" password will save you from that bad news. When someone has your username, they’re basically almost in.
Each time I see a new headline I pretty much already know what it is going to say, but I still can’t help but look. My morbid curiosity just has to know -how long will the world continue the insanity, changing passwords again and again? It’s a totally futile attempt to protect what, by design, can not be protected. Maybe with each headline there’s a glimmer of hope deep down inside that maybe this time someone with the power to enable real progress will finally realize the obvious truth that insanity is not a way for any organization to manage its relations with its people. The time to stop using both usernames and passwords is NOW, the capability to end the insanity already exists -how long will companies like Google, Microsoft, Apple, Amazon and Facebook keep these depressing headlines coming?