It feels like almost every day there is another data breach making the headlines. From banking to chatting with friends, the average person spends more than 10 hours online every day. However, most of the sites or online resources we use daily—from Facebook to Gmail—are secured using a simple password.
Most security breaches happen because of some sort of human weakness. A password may be too easy to guess, as studies show that 10,000 of the most common passwords, such as 123456 or qwerty, can access 98 percent of all accounts.
Other points of failure originate from people leaving their browsers open on public computers, writing passwords down on paper or in a file on their computers or simply getting tricked into giving away their login data.
Although we know what safe passwords should be, we tend to ignore this knowledge in favor of using easy-to-remember passwords because the fear of forgetting is stronger than the fear of being hacked.
Data breaches making the headlines
Since the first usage of a password in 1961 by the Massachusetts Institute of Technology, authentication systems have come a long way. Today, modern computers use a form of hashing referred to as “salting.” However, because many passwords are overly simple and because many systems allow a user to guess multiple times, password-based systems remain vulnerable to hacking.
In 2011, hackers stole 77 mln Sony PlayStation Network passwords. In 2012, 400,000 Yahoo! email addresses were hacked. Apple's iCloud was also vulnerable to password hacks, which led to the infamous celebrity photo hacking of 2014. During the same year, five mln Gmail passwords were hacked and released online. These are only selected examples from the huge list of the world’s biggest data breaches, which are displayed in a visualization here.
Password managers can fail too
It is this context that boosted the popularity of password managers like LastPass or 1Password, which free users from ever having to remember their passwords. These managers can also generate strong random passwords for each online account.
However, the problem with using a Web-based third party to store passwords is that they can get hacked too, as it was the case for LastPass in 2015. The platform experienced a data breach that exposed users' email addresses, encrypted passwords and password reminder hints.
As we explained in a previous article, “LastPass certainly took many security precautions, and some of them worked. For example, LastPass never had access to customers' master passwords in cleartext. But they did store other information about users in cleartext, and it's this compromised information that can be used to guess weak master passwords.”
Obsolete usernames and passwords
The cryptocurrency world has been relatively quick on the uptake of passwordless Web logins. It began when Satoshi Labs offered users Trezor Connect, which allows to log in to participating websites simply by plugging in a hardware wallet.
The cryptocurrency community also showed great excitement recently at the world's first Secure Quick Reliable Login (SQRL) that utilizes QR codes and the public-key cryptography behind Bitcoin to achieve passwordless logins.
These two developments alone prove that usernames and passwords are far from necessary in achieving secure client-server relationships online.
Blockchain to the rescue
A larger problem is the centralized architecture of the database storing logins and passwords on a server. Which means, if it’s been hacked, all data can be accessed at once. Unfortunately, even Two Factor Authentication (2FA) has been proven to be penetrable through social engineering.
REMME is a startup seeking to make passwords obsolete, thus eliminating the human factor from the authentication process, and therefore preventing such attacks from ever happening. REMME claims that by solving the problem of central servers that can be hacked, malicious attacks such as phishing, server and password breach, and password reuse will become useless.
Instead of a password, REMME gives each device a specific SSL certificate. The certificate data is managed on the Blockchain, so a fake certificate will never work. By using this method, the startup got rid of the authentication server and password database. As a consequence, hackers have no potential central server target, which means no weak point. REMME claims “100 percent protection against common attacks.”
This will only require a quick installation, which according to the company, will allow “potential clients to save costs on integration.” The startup further provides 2FA for an additional security level, with apps users already have installed and trust, as well as corporate mobile applications.
The goal of this system is to build a distributed Public Key Infrastructure (PKI) management on top of the x.509 standard using Blockchain. This set of policies has the potential to help many segments address the problem of security failings, from which REMME is focusing on IoT, financial infrastructure, MedTech and Blockchain companies.
Can innovative processes like this take off? At the end of the day, it will all come down to how many data breaches consumers are willing to put up with.