Revelations that Twitter stored the passwords of all 330 million of its users without encryption highlights how the outdated verification method needs to be replaced, according to security experts.
In a blogpost on Thursday, 3 May, Twitter’s chief technology officer blamed a bug in the company’s system that stored passwords in plain text on an internal log. Parag Agrawal said there was no evidence of misuse but urged users to change their password out of “an abundance of caution”.
Fittingly, Mr Agrawal’s announcement came on World Password Day, which aims to draw attention to vulnerabilities that result from having a weak password—but simply changing a password may not be enough to protect people’s online accounts.
“Even though Twitter users’ details were not exposed to malicious actors in this instance, it just goes to show that relying solely on usernames and passwords is irresponsible,” James Romer, chief security architect at cybersecurity firm SecureAuth and Core Security, told The Independent.
“With the majority of data breaches occurring due to lost and stolen credentials businesses need to look seriously at how they provide identity security. Ultimately, we need to ditch the password completely.”
It is a view shared by Brett McDowell, executive director of the Fast Identitiy online (FIDO) alliance – a global non-profit trade association developing technical standards for new authentification methods.
“Passwords are no longer fit for purpose, a fact highlighted in numerous studies that attribute password compromise as the root cause for the vast majority of data breaches that have taken place in recent years,” Mr McDowell said in an emailed statement.
“This story demonstrates exactly why we don’t want our credentials being stored and managed in central databases, they become vulnerable to mass exposure.”
It is not the first time security experts have looked towards a post-password future, with major cyber security breaches continuously exposing the vulnerability of passwords as a method of verification.
Even the man credited with inventing the computer password in the 1960’s refers to them as “a bit of a nightmare,” and says he never expected them to become so ubiquitous. Fernando Corbató created the first known computer passwords more than 50 years ago, long before the advent of the World Wide Web.
“We didn’t foresee the current internet,” Mr Corbató told The Wall Street Journal in 2014. “Passwords are not a super high level of security, but are enough to protect against casual snooping.”
Despite their flaws, there is currently no clear successor to passwords. Increasingly, companies are adopting biometrics to confirm a person’s identity, such as their fingerprint or facial features, however this requires specialist hardware that is usually only found on high-end smartphones.
Other more leftfield options include embeddable chips, electronic tattoos and password pills that transform a person’s body into an authenticator. All of these were developed by the inventor Regina Dugan, who has worked at both Google and Facebook, however none are likely to see widespread adoption.
Instead, companies need to look towards what Mr Romer refers to as “adaptive authentication”, which combines techniques such as geographic location analysis and device recognition in order to determine who is logging onto an account.
While new verification methods will make devices and online platforms safer from hacks and attacks, ultimately they will need to be simple and easy to use if they are ever to be used on the same scale as usernames and passwords currently are.
“Ultimately, if done properly moving away from passwords would make things far easier for end users,” Mr Romer said.
“Passwordless solutions are more secure, and provide less friction for the user and forgotten and stolen passwords would be a thing of the past.
This article originally appeared in The Independent on May 4th, 2018