​Have you been Pwned?

Ummm, yes I have and I didn’t know that I had.

From Wikipedia – “Pwn is a slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated.

"You just got pwned!" well I did anyway and here’s the proof:

A Quick Check

Thankfully it is easy to check, just go to the URL below.


Passwords are dead

Now I have your attention, let me talk about Passwords.

“Open sesame”, was the famous passcode that Ali Baba used to gain access to the legendary treasure. In Hebrew, the word “Sesame” has connotations for being the name of heaven.

For hackers, this is indeed “heaven” and gaining access to a password provides more than a simple way to feed the family. Passwords are the bane of our everyday existence and for most of us we struggle with the different requirements of expiration and format.

It might surprise you that the average person has 17-19 different passwords and uses around 8-12 per day. In our working day, we cope with around 6-7 just at our place of employment. Then when we want to relax, and use the internet we have to use a further 4-5. So much for chilling out!

It is not the daily websites that are an issue, but the more infrequent ones, where we just have little hope of remembering these passwords.

Data Breaches

With so many passwords and these having different rules and expiry dates. This just exacerbates the current situation.

Not surprisingly with so many passwords it is often the case that users, or should I say the average person will therefore tend to use not as “strong” passwords and also likely that they have duplicates.

Recent evidence is that more than 60% of all data breaches came from weak credentials and user authentication. We have a problem and the current approaches don’t work.

Authentication Sucks

The fact is that around 70% of users forget their passwords every month. It was embarrassing as a CIO to be calling the helpdesk to reset my password, but like many others we fall victim of multi tasking.

Read more: ​Document management paramount for legal teams

Authentication as it stands – does suck. We need a more intuitive approach and the hypothesis is that we need a pattern to remember our passwords. The usual good advice is to use a poem or rhyme to help you make this mental recall eg.

Mary Had a Little Lamb = MHALL

Biometric sensors

We are all now using smartphones with gestures or biometric sensors. It is a great improvement over typing in on that little virtual keyboard. I recall reviewing the patent of the biometric touch for the iPhone, which was a number of years ahead of this being launched.

It is however fascinating to look at what more recent Apple’s patents. They have patented full finger (multiple fingers) patents. Of course let’s remember that the importance of using one’s finger is that it provides that third factor authentication. This is critical for payments and Apple Pay will be using a biometric approach to approve the transaction.

They are taking this one step further with the concept of User ID using Plethysmography, which my understanding is a combination of motion, gestures and light movement. Thus in the future we can use a gesture, not unlike the movements used at the gambling table to make a bet etc

Apple is doing some R&D on using biometrics on a TV remote, just imagine your remote knowing David’s preferences and what alternatives you like. Just an exciting development, but based on Apple’s normal innovation process this is going to be a few years away.

But back to security…..

Continuous Monitoring is the answer?

Where I would place my bet is where you can use a number of sensors to validate myself. The theory here is that using Machine Learning it will monitor a combination of sensors.

How fast and how you type and such key-stroke patterns would understand your normal tempo etc. But what happens that day that you are not feeling 100% or perhaps jetlagged.

Your device is therefore your monitor and will also be listening to how you speak and what you say?

Thus this is not binary – Yes or No Password, but continuous monitoring that develops an ongoing trust score that is authenticating you in real time on your device. Our friends at Google are working on this approach.

Will this mean the end of being Pwned? I’m not sure, but clearly I could be using “Open Sesame” as my password and with continuous monitoring this may be enough to validate who I am.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachPwnedwikipediaprivacyCSO Australia

More about AppleGoogleindeedWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place