SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
24 Dec 2014

The password is finally dying, here`s mine

Over at the Wall Street Journal, tech columnist Christopher Mims wrote a piece about two-factor authentication and how awesome it is.

The idea of a code being sent to your phone to log you into a site — rather than relying just on a password that can be guessed or stolen — is so awesome that he thinks it’ll make the password completely irrelevant.

To show how awesome two-factor is, he decided to just give up his Twitter password to anyone who wants it. “Knowing that won’t help you hack [my Twitter account], however,” he wrote. “In fact, I’m publishing my password to make a point: The password is finally dying, if we want it to.” Ironically, you need a WSJ password to read the piece. But his handing out his password happens in the first paragraph which all can read, and it was, quite honestly, the only novel part of the piece. The rest explains device-based authentication to people who haven’t been paying attention to tech security, and haven’t set it up already for their Google, Facebook, Twitter, Yahoo, Bank of America, Paypal, or fill-in-the-online-service-here accounts.

As a journalism stunt to get clicks it was brilliant but as a practical approach to security, it was very dumb. So what happened after he handed his password out? The obvious. A whole bunch of people tried to log into his Twitter account. And every time one did, Mims got a text message with a verification code. He said on Twitter that he started receiving two text messages every minute.

He finally switched to getting the code via a designated “Twitter for iPhone” app, but there was still an option to send a verification code to his phone, and when you clicked on that, it revealed Mims’s full phone number, starting with a 301 Maryland area code. I tried calling him but got a message that his overworked phone was “out of service.” He says he now has to change the number associated with the account. Passwords alone do suck as a security measure, but until our smartphones can prick us for genetic material before letting us sign in, passwords do still play an important role in getting into a site.

Relying on smartphone-authentication alone means that a stolen smartphone is now a huge liability. “Cool contest: mug @mims for his phone, and you get his twitter account too!” tweeted New York Mag tech writer Kevin Roose.

I’m sure we’ll get another column from Mims about “what he learned” from the idiotic move. What happened was pretty predictable. And it has happened before. A British journalist published his bank account information online years ago to prove people were ridiculous in flipping out over the possible exposure of 25 million people’s bank account deets. His account got burgled by a Robin Hood.

The CEO of Lifelock, a service that promises to help protect people’s information online, famously used to print his Social Security number in ads because he was so confident in his company’s ability to protect him. Just as with Mims, the obvious happened. His identity was stolen at least 13 times. It is never ever a good idea to say, “Try to hack me.” Because hackers can almost always find a way.

One thing Mims was right about: his Twitter account hasn’t been hacked (yet). However, his phone was in a sense — in that it was buffeted with digital blows. And by revealing his password, he revealed his phone number to anyone who wants to screw with him further; cell phone numbers are awfully useful for social engineering or just ensuring someone has a very nasty day.

One of the best ways to approach security is to be careful and pragmatic about how and where you dish out your data, and trying to build a series of fences around accounts and information that are important to you to make it harder for attackers to get in. Mims needs to do a bit more research into that. The good thing to come out of exercises like these is getting companies to protect stupid users from themselves. As many pointed out, Twitter shouldn’t display people’s phone numbers in full as part of the two-factor log-in process.

Tags:
trends password
Source:
Forbes
Author:
Kashmir Hill
1991
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015