• Follow us


Leaked passwords are only the tip of the iceberg when you trust a central authority

Recently, it was reported that over 600 million user passwords were maintained in clear-text within application logs at Facebook. Facebook has since announced that they will notify each user affected and will fix the problem. While the company is not aware of any malicious access to these logs and claims that only Facebook developers have access to the data, there may be no way to tell if the logs with clear-text passwords have ever been hijacked or not. After all, stolen usernames and passwords are not used only against the target website for malicious intent – they are often the keys for the fraudsters to access even more important websites such as bank accounts, e-commerce sites and other services where the same passwords are used by users. A simple search on Google will show studies that claim 52 per cent to 80 per cent of users use the same passwords for all of their online services. For many other users, only a handful of passwords are rotated between different sites as managing and remembering them is difficult.

It is unreasonable to think that a company like Facebook would purposely expose user passwords in Application logs or any other method. However, Facebook, similar to other services that have faced similar mistakes such as Twitter and GitHub, are software companies where large teams of developers write software-programs to enable the services. Invariably, they will have inadvertent bugs or oversights that cause such exposure of user identity information.

The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally identifiable information along with authentication credentials (e.g., a password) are shared with central services, such as Facebook, with the inherent trust that they will do the right thing in protecting our data. Once these services receive this data, the user no longer has control over what happens to that data. Any weakness in the central service’s security can expose the user data and allow it to be compromised. We have seen this story played over and over again with hundreds of millions to billions of user identity information breached and stolen by hackers.

The problem is that our existing username and password paradigm necessarily depends on a central service provider to maintain copies of our identity credentials and require us to trust them in the exchange of that information, usually in-the-raw over SSL, for them to validate and authenticate us. While the SSL connection may be partially secure, the service providers gets clear-text access to the data and passwords. It is then up to them – not us – to control and maintain the security of that data.

Each service provider in-fact owns our identity for their service – we are merely users of that identity. If they own it, it can be stolen from them.

Leaked passwords, then become only the tip of the iceberg. With stolen passwords, fraudsters will be empowered to identify themselves as real-users and go well beyond authentication. They will be able to authorise transactions, access multitudes of services, get access to credit card and other payment information and in many cases, even change second factors.

User-owned identity – the future

In recent times, there has been much discussion on user-owned identities through what is often referred to as distributed-identity. This is where the user ID information and credentials that can prove that unique ID is maintained on the user’s device and not on a central server. The credentials use private/public key mechanisms where the private-key is maintained on the phone only and is never shared - service providers verify the user using only the user’s public-key. Furthermore, the identity of the user can be certified by a service provider to verify the user. The certifications once again are not trusted to a central server, but a Distributed Ledger Technology (DLT) that is also referred to as a blockchain.

This approach eliminates the need for both usernames and passwords. The combination of the private-key and the certifications on the DLT inverse the ownership of the user’s Identity – service providers are no longer the stewards and owners of the ID, they merely validate it. Since they never get a copy of the private-key, they can’t store user’s authentication codes that a hacker may get access to in a breach.

This distributed identity mechanism can go beyond authenticating a user, and in fact allow the user to maintain other attestations and certified data that is kept with them – encrypted on their personal devices – and only shared with their explicit permission and action with parties they choose to. This is in complete contrast to providing permission to a service-provider to share a user’s data with another third-party as a proxy. Distributed identity can remove the need for the trusted middle-man and give control of data sharing, authentication and information claims to the user. This increases both security and user privacy.  Distributed identity doesn’t simply provide a protocol for a more secure environment to protect passwords – it eliminates it altogether.

Bridging the future

While distributed identity may sound like the right solution to solve incredibly big problems, it is disruptive as compared to current implementations and hence requires change in order to adopt. While new services can incorporate such solutions easier, existing, large-scale solutions face more difficulties. Not only will the existing infrastructures have to change their existing implementations, they also need to train their users to adopt a new way of managing their identities and motivate them to migrate. This causes an unavoidable obstacle to adoption.

It is therefore important to create bridges between distributed-identity solutions and existing paradigms that rely on usernames and passwords.

By incorporating SAML and OpenID standards that integrate with existing enterprise Single Sign On (SSO) services, companies can adopt distributed identities without writing any code and have their staff use the same portals to access their services, but without usernames and passwords. This opens up the path to much greater usage of the identity used with the SSO to extend to consumer uses and beyond. In this approach, SAML and OpenID are simply a bridge to a more secure interface today and expanded use of identity in the future. This is done while eliminating the need for storage or exchange of passwords altogether.

With the increasing number of compromised passwords and user identities, it is no longer an option to simply build taller walls to secure those identities – a new approach is needed. Distributed Identity has that promise.

Armin Ebrahimi, Founder and CEO, ShoCard

Read More

Leave A Comment

More News

TechRadar: Internet news

Jamaica vs USA live stream: how to watch 2019-07-03 18:41:42Reggae Boyz out to make their third consecutive Gold Cup final as they face the USMNT. Check out our Jamaica vs USA live stream guide for all your wat

Symantec reportedly in Broadcom takeover talks 2019-07-03 17:04:33Broadcom may be looking at Symantec deal following last year's CA Technologies acquisition

Chile vs Peru live stream: how to watch 2019-07-03 16:56:12Who will win the 'Pacific derby' and join Brazil in the 2019 Copa América final? Check out our guide for your Chile vs Peru live stream.

Parallels and Winzip developer Corel acquired 2019-07-03 16:47:45Investment equity firm KKR snaps up Corel less than one year after Parallels deak.

The best VR laptops: these notebooks are ready 2019-07-03 16:24:29Don't have room for a VR gaming PC in the house? Then you're going to need a powerful laptop.

Copa América 2019 live stream: how to watch 2019-07-03 15:51:00The last four in Brazil and a classic encounter beckons. Read our guide for your 2019 Copa América live stream options as we enter the semi-fin

The best gaming monitor 2019: the 10 best 2019-07-03 15:49:44With the best gaming monitors, your games will come alive in ways you can’t even imagine.

The best Chromebooks 2019 2019-07-03 15:33:50We've searched far and wide for the best Chromebooks you can buy, always up to date and thoroughly tested.

The best PC gaming headsets 2019 2019-07-03 15:20:26The best gaming headset brings your game audio to life and won't cramp your ears after long play sessions. Here are the top 15 headsets we've tested

Netherlands vs Sweden live stream: how to watch 2019-07-03 14:58:58It's all or nothing in the second 2019 FIFA Women's World Cup semi-final. Don't miss a kick with our Netherlands vs Sweden live stream guide.

Best gaming laptops 2019: the 10 top gaming 2019-07-03 14:40:15The best gaming laptops you can buy, always up to date with the latest hardware configurations.

Popular cloud storage app hides a rather nasty 2019-07-03 14:35:43Upstream has blocked over 114m suspicious mobile transactions.

Latest ITProPortal news

Foxconn president resigns to run for office 2019-06-21 08:00:29He wants to focus on his presidential campaign.

Google confirms it's leaving the tablet business 2019-06-21 07:58:09It's throwing everything it has into the laptop business.

US city votes to pay ransomware demand 2019-06-21 07:30:31Riviera Beach can't catch a break.

iPaaS: The true digital transformation enabler 2019-06-21 07:00:33At the heart of any digital transformation project is the same principle – getting access to data and managing that data effectively.

5G can help start ups compete better 2019-06-21 06:30:585G could give birth to a whole new wave of start-up businesses, who would leverage the technology to compete better against well-established players i

Leaked passwords are only the tip of the 2019-06-21 06:30:45The true cause of the problem isn’t what one company does or doesn’t do with their security, but the underlying premise that personally id

The rise of voice commerce 2019-06-21 06:00:46This is a burgeoning trend that could be a huge market in the very near future.

IT issues creating workplace "black hole" 2019-06-21 06:00:33Employees are losing hours fixing stuff around the office.

GDPR compliance: is your business at risk of 2019-06-21 05:30:57Since the introduction of GDPR last year, small businesses have faced increased pressure to develop and alter their existing policies in line with the

How continuous deployment can help you keep pace 2019-06-21 05:00:10With every company now a software company, here's how continuous deployment makes you stand out from the crowd.

Keeping up with digital transformation: Is your ERP 2019-06-21 04:30:46Digital transformation need not be a scary term, but the foundation of your ERP strategy.

Why the jewellery sector is in major need 2019-06-21 04:00:07How blockchain and modern technology has helped to change the way the sector is functioning.

TechCrunch » Enterprise

Equinix and Singapore’s GIC will launch a $1 2019-07-02 00:20:35Equinix, one of the world’s largest data center companies, announced that it will form a $1 billion joint venture with GIC, Singapore’s so

Video platform Kaltura adds advanced analytics 2019-07-01 15:15:26You may not be familiar with Kaltura‘s name, but chances are you’ve used the company’s video platform at some point or another, give

We’ll talk even more Kubernetes at TC Sessions: 2019-07-01 12:00:58You can’t go to an enterprise conference these days without talking containers — and specifically the Kubernetes container management syst

Tara.ai, which uses machine learning to spec out 2019-07-01 06:09:59Artificial intelligence has become an increasingly important component of how a lot of technology works; now it’s also being applied to how tech

Enterprise SaaS revenue hits $100B run rate, led 2019-06-28 11:48:44In its most recent report, Synergy Research, a company that monitors cloud marketshare, found that enterprise SaaS revenue passed the $100 billion run

We’re talking Kubernetes at TC Sessions: Enterprise with 2019-06-27 12:48:01Over the past five years, Kubernetes has grown from a project inside of Google to an open source powerhouse with an ecosystem of products and services

Fellow raises $6.5M to help make managers better 2019-06-27 11:21:30Managing people is perhaps the most challenging thing most people will have to learn in the course of their professional lives – especially beca

Fungible raises $200 million led by SoftBank Vision 2019-06-27 11:00:24Fungible, a startup that wants to help data centers cope with the increasingly massive amounts of data produced by new technologies, has raised a $200

Cathay Innovation leads Laiye’s $35M round to bet 2019-06-27 10:22:46For many years, the boom and bust of China’s tech landscape have centered around consumer-facing products. As this space gets filled by Baidu, A

Amperity update gives customers more control over Customer 2019-06-27 09:03:26The Customer Data Platform (CDP) has certainly been getting a lot of attention in marketing software circles over the last year as big dawgs like Sale

Bright Machines wants to put AI-driven automation in 2019-06-26 11:16:00There’s a mythology around today’s factories that says everything is automated by robotics, and while there is some truth to that, it&rsqu

Vulcan Cyber announces $10M Series A to automate 2019-06-26 09:20:42Many software vulnerabilities are already known, and vendors have even issued patches, but the problem is there are so many patches that it’s of

Next INpact – Actualités

⭐ #LeBrief : certificats OpenPGP « empoisonnés », 2019-07-02 04:25:24C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

⭐ Soldes d'été 2019 : le récap' des 2019-06-28 11:42:39Ça y est, mercredi matin 8h, les soldes d'été sont lancés. La Team Bons Plans est évidemment sur le qui-

Internet en France : le « bilan de 2019-06-28 11:13:59Tel un médecin auprès d'un patient qu'il faut surveiller de près, l'Arcep dresse le « bilan de l'état de sa

Qwant fait le point sur ses services : 2019-06-27 04:00:00Après plusieurs mois en alpha, Qwant Maps passe en bêta. Au passage, le service de cartographie et d'itinéraires gagne l'acc&egr

Limeil-Brévannes : la folle histoire des clients K-Net 2019-06-26 08:35:26Les contrats de 63 abonnés K-Net (FTTH) ont été résiliés car SFR a démonté et emporté des &eac

⭐ #LeBrief : failles Firefox et VLC, MonAvis 2019-06-24 04:36:05C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

« L'incident technique » à la Poste a entrainé la 2019-06-21 09:09:23Hier matin, un vent de panique soufflait sur le site de La Poste. À cause d'un « incident technique », des clients se retrouv

⭐ #LeBrief : hausse des prix Netflix, Windows 10 2019-06-20 03:59:56C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

⭐ Le récap' des bons plans du moment, 2019-06-19 09:16:06Cette semaine, nous faisons le point sur macOS Catalina ainsi que sur le premier référendum d'initiative partagé propo

⭐ #LeBrief : League of Entropy, salve de bêtas 2019-06-18 04:20:39C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

⭐ Le récap' des bons plans du moment, 2019-06-12 07:37:44Cette semaine, nous fêtons les dix ans de la Hadopi. De son côté, Inpact-Hardware déchiffre pour vous l'architecture du chi

⭐ #LeBrief : Have I Been Pwned à vendre, 2019-06-12 04:53:14C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.