From Wikipedia – “Pwn is a slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated.
"You just got pwned!" well I did anyway and here’s the proof:
A Quick Check
Thankfully it is easy to check, just go to the URL below.
Passwords are dead
Now I have your attention, let me talk about Passwords.
“Open sesame”, was the famous passcode that Ali Baba used to gain access to the legendary treasure. In Hebrew, the word “Sesame” has connotations for being the name of heaven.
For hackers, this is indeed “heaven” and gaining access to a password provides more than a simple way to feed the family. Passwords are the bane of our everyday existence and for most of us we struggle with the different requirements of expiration and format.
It might surprise you that the average person has 17-19 different passwords and uses around 8-12 per day. In our working day, we cope with around 6-7 just at our place of employment. Then when we want to relax, and use the internet we have to use a further 4-5. So much for chilling out!
It is not the daily websites that are an issue, but the more infrequent ones, where we just have little hope of remembering these passwords.
With so many passwords and these having different rules and expiry dates. This just exacerbates the current situation.
Not surprisingly with so many passwords it is often the case that users, or should I say the average person will therefore tend to use not as “strong” passwords and also likely that they have duplicates.
Recent evidence is that more than 60% of all data breaches came from weak credentials and user authentication. We have a problem and the current approaches don’t work.
The fact is that around 70% of users forget their passwords every month. It was embarrassing as a CIO to be calling the helpdesk to reset my password, but like many others we fall victim of multi tasking.Read more: Document management paramount for legal teams
Authentication as it stands – does suck. We need a more intuitive approach and the hypothesis is that we need a pattern to remember our passwords. The usual good advice is to use a poem or rhyme to help you make this mental recall eg.
Mary Had a Little Lamb = MHALL
We are all now using smartphones with gestures or biometric sensors. It is a great improvement over typing in on that little virtual keyboard. I recall reviewing the patent of the biometric touch for the iPhone, which was a number of years ahead of this being launched.
It is however fascinating to look at what more recent Apple’s patents. They have patented full finger (multiple fingers) patents. Of course let’s remember that the importance of using one’s finger is that it provides that third factor authentication. This is critical for payments and Apple Pay will be using a biometric approach to approve the transaction.
They are taking this one step further with the concept of User ID using Plethysmography, which my understanding is a combination of motion, gestures and light movement. Thus in the future we can use a gesture, not unlike the movements used at the gambling table to make a bet etc
Apple is doing some R&D on using biometrics on a TV remote, just imagine your remote knowing David’s preferences and what alternatives you like. Just an exciting development, but based on Apple’s normal innovation process this is going to be a few years away.
But back to security…..
Continuous Monitoring is the answer?
Where I would place my bet is where you can use a number of sensors to validate myself. The theory here is that using Machine Learning it will monitor a combination of sensors.
How fast and how you type and such key-stroke patterns would understand your normal tempo etc. But what happens that day that you are not feeling 100% or perhaps jetlagged.
Your device is therefore your monitor and will also be listening to how you speak and what you say?
Thus this is not binary – Yes or No Password, but continuous monitoring that develops an ongoing trust score that is authenticating you in real time on your device. Our friends at Google are working on this approach.
Will this mean the end of being Pwned? I’m not sure, but clearly I could be using “Open Sesame” as my password and with continuous monitoring this may be enough to validate who I am.