Juha Saarinen: Let's kill logins

By Juha Saarinen

Tech blogger for nzherald.co.nz.·NZ Herald·

5 Sep, 2017 02:42 AM4 mins to read

Kill logins sooner rather than later, please. Photo / 123RF

Opinion by Juha Saarinen

Tech writer for NZ Herald.

Learn more

If you have an account with a popular web service provider, like Gmail, Hotmail or Yahoo, you should change your password now.

Actually, doesn't matter what the provider is, just change your password. There are data breaches almost on a daily basis now, and chances are your login details are in the wrong hands.

If you can remember which provider you signed up for that is. Oh, and if you can keep up with the frequent data leaks. Last week saw over 711 million login credentials leaked on the internet.

Facebook-owned Instagram made a coding error which meant leaked emails and phone numbers for perhaps up to six million accounts but not the account passwords apparently.

A determined hacker who knows the email address and phone number associated with users will try to get account password reset through them, especially if they belong to celebrities.

How do you keep track of all your accounts then?

Even with a credentials manager, it's quite a chore to remember where on the web you have accounts. Almost every single site you visit will ask you to create a login, for shopping, to receive newsletters, for whatever reason.

People start to use credentials managers once they realise they have so many accounts they can't remember them all, but by then it's too late.

Even if you don't re-use passwords, most people do not use different email addresses for the account usernames. It's just too difficult to do that when you have a myriad of accounts everywhere.

The whole system with logins using passwords and email addresses broke down some years ago as the internet grew massive. We still persist with it, and the problem's getting worse. Changing passwords won't fix it.

Now, there are some efforts to plaster over the cracks, like authentication methods that don't pass through user credentials, but they are difficult to get right and have their own set of horrendous security bugs.

Then there's two-factor and two-step authentication where you enter username and password, and then through a side-channel you're asked to either permit the login attempt, or you enter a code to authorise it.

It means jumping through more hoops for logging in and some people don't enable 2FA/2SA for that reason. You should do that, because it's literally a last line of defence since the chances are your username is out in the wild, and your password could be too if it isn't already.

Not that 2FA/2SA is 100 per cent secure either, as Apple customers have discovered.

The whole system with logins using passwords and email addresses broke down some years ago as the internet grew massive. We still persist with it, and the problem's getting worse.

For the past month or so, Apple users have reported that their devices have mysteriously become locked. People are asked to send an email to an address on the iDevice lock screen, and in some cases money is demanded - a ransom.

The reason for the lock-outs seem to be attackers working out how to abuse the Find my iPhone feature.

They obtain usernames and passwords, the latter sometimes through brute-force guessing, and log in to victims' iCloud accounts. If 2SA is enabled, attackers will be prompted for a code that they can't enter and get in but... they can still use Find my iPhone and through that, lock people's devices.

I was able to confirm that you can access Find my iPhone and through that lock iDevices and Macs that are tied to your account, without entering the 2SA code.

This is apparently how it should work so that you can lock (and erase) lost devices when you only have your username and password available. Apple did not respond when I asked them but it's a case of damned if they do, damned if they don't.

Either way, if your device is locked, don't pay a ransom: try unlocking from another device, or go to an Apple service centre with proof of purchase for help.

That even a well-designed security feature like Apple's 2SA can be exploited like this shows why we need to move away from old-fashioned logins so as to make all that leaked data that's probably linked to each of us useless for hackers.

Kill logins sooner rather than later, please.