I have a bank account online. Actually, I have several bank accounts, and pretty much all of them are accessible online. It’s taken a decade or more, but, I’m pretty sure that these days, it’s a given that you can access your bank account online. And, like most other online accounts, bank accounts are secured by a lock and key system that is becoming increasingly unreliable every day.
The username and password combination has been the cornerstone of computer security almost from the beginning. The idea, quite simply, is that by having to enter a password, you ensure that only the authorized person gets the access.
Quality of Password Security
Believe it or not, this can actually provide very good security in most non-online applications. Your ATM card is a great example. Nothing secures your ATM card from being used to empty your bank account except for a four-digit PIN number. Assuming your PIN number isn’t something stupid like your birthday (or your wife’s birthday, or kid’s birthday… really, anyone’s birthday at all), it is highly unlikely that your ATM card will ever be compromised, even though there are only 9999 combinations. This is because you only get something like three or four wrong entries before the ATM just takes your card, and alerts your bank. It takes someone really lucky to beat 3 in 9999 odds.
For most websites, password security is also actually sufficient to guard most data. My online bank account follows the same protocol as the ATM machine. If you enter the wrong code more than three times, it locks my account. Since my bank password requires letters, numbers, upper case, and so on, the combinations are too many to be guessed.
The movies always show some teenager figuring out your password, or using a computer to make millions of really fast guesses, but that only works on the weakest passwords and the weakest of computer systems.
The security of online passwords is why all but the least secure systems are virtually impenetrable to random guess of passwords.
What happens instead, is that hackers get into systems that have usernames and passwords. Then, they download the file containing those credentials. Those files are supposed to be encrypted, but even software industry giants like Adobe can be criminally negligent in how they handle those files.
Once hackers have those files, they can spend an eternity decrypting, them, sifting through them for information, and creating password hacking dictionaries. These dictionaries are not used to hack directly into online systems, but rather to decrypt properly encrypted databases stolen in the future.
If a hacker finds your username and password on one site, that information is useless as soon as you change your password. Unfortunately, with so many online services, and so many of them requiring complex password rules, people start to come up with one or two good passwords, and then use them everywhere. Once you’ve reused bonniesmith as your username with your password Aktiv4HClubMember! on more than one website, all the hackers need to do is find it, and then try that username and password combination on more important websites, like your bank.
Easy Additional Security
Here is where things get interesting. While the username and password is quickly becoming too easy to get past, two passwords can still be quite a roadblock.
Several of my online financial accounts require a username and password, but they also require an additional security question before allowing me to log in from a new machine or mobile device. So, you not only need bonniesmith and Aktiv4HClubMember!, you also need to know that Bonnie’s first pet was named Hawk. That last bit of information is both easy to find, and a very short, insecure password. Anyone that knows Bonnie really well could maybe guess that.
But, here’s the thing. It is incredibly rare that the person trying to hack into your bank account knows you. In fact, it’s pretty rare that they are even in the same country. It’s just as rare that they are trying to actually get into Bonnie’s account specifically and not just quickly get into as many accounts as possible before stealing money. That means that that little bit of information can stop hackers in their tracks.
If you’re thinking that eventually people will use the same information across multiple websites, you’re right, but here’s where it gets interesting. What if the websites dictated the questions?
For example, what if my bank asked me to setup a username and a password, and then asked me what color my first car was, while my other bank asked for a username and password and what my Mom’s favorite animal is? Now, even if I reuse passwords, my banks accounts are twice as hard to hack since the same three failures will lock my accounts if the hackers can’t guess that Bonnie’s first car was red and her mom’s favorite animal is camels.
The beauty of it, is when the inevitable happens and someone gets hacked, even fully compromised usernames, passwords, and security answers are half as useful on sites like that.
The problem is that this level of security is often diminished because you can “save” your answers on your own computer in the form of a check box that says remember this computer, or phone, or whatever. Maybe just adding that extra bit, without allowing a save, is all we really need to get back ahead of the hackers for another decade.