Thursday, July 16, 2009

Lessons from Twitter's security breach | Webware - CNET

Lessons from Twitter's security breach | Webware - CNET

This so-called Twitter security breach didn't have anything to do with the security of Twitter. Here is (supposedly) what happened. A hacker got the yahoo email address from one of Twitter's employees, managed to get the password, logged in and through reading some emails was able to get into the employee's Google account where he found a bunch of Twitter confidential information.

So why was it so easy to break into the yahoo email account? Well, Yahoo (like most other web portals) has a way to retrieve your password. You simply answer a few questions (like mother's maiden name) and you will again have access to your account. This is how the Twitter hacker got in and this is also how Sarah Palin's Yahoo email account was hacked. And why does Yahoo offer this service? Well a lot of people forget their password and this is the only way that most portals know how to solve this problem.

In order to make them easy to remember people will use simple, short passwords and they will make all their passwords the same. And if they make difficult to guess passwords then they will forget them and the portal will have to provide a password recovery service like Yahoo does. The end result, as we can see from the Twitter and Palin examples is a hacker's delight. So passwords are evil! But can we really do without?

A company called Fortknock which is still in stealth mode is promising a totally secure online experience without the need for passwords. When you login instead of being asked for username and password you are presented with four multiple choice questions about your likes and dislikes. For example "who is your most favourite singer", or "which type of food do you dislike the most". Answers to questions like these are not easy to guess by others and to make it even more difficult for the potential hacker the wrong choices are answers that other people who are very similar to you have given to the same question.

So if for example the hacker has figured out that you are from the Netherlands they might assume that your favourite singer is someone from the Netherlands. But because FortKnock will take the answers from other people who are also from the Netherlands and present them as the wrong choices, the hacker will be presented with 10 popular Dutch singers to choose from. There is a lot of statistical mathematics behind this seemingly simple authentication scheme, that shows that a system like this is just as secure as an 80 digit password that changes every time you login. (Imagine the trouble of trying to remember an 80 digit password ;-) On the user side this is as simple as it can get, you of course can remember your likes and dislikes unlike all those pesky passwords that must or must not start with a number, contain or not contain upper case letters etc. etc.

I found this company's technology so intriguing that I decided to accept their offer to make me a senior advisor, which means I will probably write some more about FortKnock in future blog entries.

No comments:

Post a Comment