tag:theconversation.com,2011:/es/topics/passwords-5432/articlesPasswords – The Conversation2024-01-18T03:32:12Ztag:theconversation.com,2011:article/2214012024-01-18T03:32:12Z2024-01-18T03:32:12ZWhat is credential stuffing and how can I protect myself? A cybersecurity researcher explains<figure><img src="https://images.theconversation.com/files/569990/original/file-20240118-23-wz0bip.jpg?ixlib=rb-1.1.0&rect=0%2C16%2C3748%2C1888&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/password-box-internet-browser-on-computer-127894811">kpatyhka/Shutterstock</a></span></figcaption></figure><p>Cyber-skulduggery is becoming the bane of modern life. Australia’s prime minister has called it a “<a href="https://www.news.com.au/finance/work/leaders/prime-minister-calls-major-hack-a-scourge-after-guzman-y-gomez-binge-targeted-in-coordinated-cyber-hack/news-story/d4853d70755478a1f72acb1197a7e287">scourge</a>”, and he is correct. In 2022–23, nearly 94,000 cyber crimes were <a href="https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023">reported</a> in Australia, up 23% on the previous year.</p>
<p>In the latest high-profile <a href="https://www.cyberdaily.au/security/10038-customers-of-guzman-y-gomez-dan-murphys-and-more-affected-in-credential-stuffing-campaign">attack</a>, around 15,000 customers of alcohol retailer Dan Murphy, Mexican restaurant chain Guzman y Gomez, Event Cinemas, and home shopping network TVSN had their login credentials and credit card details used fraudulently to buy goods and services in what is known as a “<a href="https://owasp.org/www-community/attacks/Credential_stuffing#">credential stuffing</a>” attack.</p>
<p>So what is credential stuffing – and how can you reduce the risk of it happening to you?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A Dan Murphy's liquor store sign reflects golden sunlight." src="https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Many customers of alcohol retailer Dan Murphy are among those hit by the latest round of credential stuffing cyber attacks.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/sydney-australia-on-february-7-2018-1019906509">ArliftAtoz2205/Shutterstock</a></span>
</figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/an-expert-reviews-the-governments-7-year-plan-to-boost-australias-cyber-security-here-are-the-key-takeaways-218117">An expert reviews the government’s 7-year plan to boost Australia’s cyber security. Here are the key takeaways</a>
</strong>
</em>
</p>
<hr>
<h2>Re-using the same login details</h2>
<p>Credential stuffing is a type of cyber attack where hackers use stolen usernames and passwords to gain unauthorised access to other online accounts.</p>
<p>In other words, they steal a set of login details for one site, and try it on another site to see if it works there too.</p>
<p>This is possible because many people use the same username and password combination across multiple websites.</p>
<p>It is common for people to use the <a href="https://us.norton.com/blog/privacy/password-statistics#:%7E:text=More%20than%2080%25%20of%20confirmed,to%20their%20accounts%20or%20devices.">same password</a> for multiple accounts (even though this is very risky).</p>
<p>Some even use the same password for all their accounts. This means if one account is compromised, hackers can potentially access many (or all) their other accounts with the same credentials.</p>
<h2>‘Brute force’ attacks</h2>
<p>Hackers purchase job lots of login credentials (obtained from earlier <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023#:%7E:text=Large%2Dscale%20data%20breaches,period%20%E2%80%93%20a%2045%25%20decrease.">data breaches</a>) on the “<a href="https://en.wikipedia.org/wiki/Dark_web">dark web</a>”. </p>
<p>They then use automated tools called “bots” to perform credential stuffing attacks. These tools can also be purchased on the dark web. </p>
<p>Bots are programs that perform tasks on the internet much faster and more efficiently than humans can. </p>
<p>In what is colourfully termed a “brute force” attack, hackers use bots to test millions of username and password combinations on different websites until they find a match. It’s easier and quicker than many people realise.</p>
<p>It is happening more often because the barrier to entry for would-be cybercriminals has never been lower. The dark web is readily accessible and the resources needed to launch attacks are available to anyone with cryptocurrency to spend and the will to cross over to the dark side. </p>
<h2>How can you protect yourself from credential stuffing?</h2>
<p>The best way is to <em>never</em> reuse passwords across multiple sites or apps. Always use a unique and strong password for each online account.</p>
<p>Choose a password or pass phrase that is at least 12 characters long, is complex, and hard to guess. It should include a mix of uppercase and lowercase letters, numbers, and symbols. Don’t use pet names, birthdays or anything else that can be found on social media. </p>
<p>You can use a <a href="https://www.forbes.com/advisor/business/are-password-managers-safe/">password manager</a> to generate unique passwords for all your accounts and store them securely. These use strong encryption and are generally regarded as pretty safe.</p>
<p>Another way to protect yourself from credential stuffing is to enable two-factor authentication (2FA) for your online accounts. </p>
<p>Two-factor authentication is a security feature that requires you to enter a code or use a device in addition to your password when you log in.</p>
<p>This adds an extra layer of protection in case your password is stolen. You can use an <a href="https://au.pcmag.com/security/86845/the-best-authenticator-apps">app</a>, a text message, or a <a href="https://www.nytimes.com/wirecutter/reviews/best-security-keys/">hardware device</a> (such as a little “key” you plug into a computer) to receive your two-factor authentication code.</p>
<p>Monitor your online accounts regularly to look for any suspicious activity. You can also check if your email or password has been exposed in a data breach by using the website <a href="https://haveibeenpwned.com/">Have I Been Pwned</a>. </p>
<p>You may be surprised by what you see. If you do discover your login details on there, use this as a timely warning to change your passwords as soon as possible.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Have your passwords and login details been exposed in a data breach?</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/portland-usa-apr-19-2023-closeup-2291663313">Tada Images/Shutterstock</a></span>
</figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-lockbit-the-cybercrime-gang-hacking-some-of-the-worlds-largest-organisations-217679">What is LockBit, the cybercrime gang hacking some of the world's largest organisations?</a>
</strong>
</em>
</p>
<hr>
<h2>Eternal vigilance</h2>
<p>In today’s world of rising cyber crime, your best defence against credential stuffing and other forms of hacking is vigilance. Be proactive, not complacent about online security.</p>
<p>Use unique passwords and a password manager, enable two-factor authentication, monitor your accounts, and check breach notification sites (like Have I Been Pwned). </p>
<p>Remember, the recent attacks on Dan Murphy, Guzman y Gomez and others show how readily our online lives can be disrupted. Don’t let your credentials become another statistic. As you are reading this, the criminals are thinking up new ways to exploit our vulnerabilities. </p>
<p>By adopting good digital hygiene and effective security measures, we can take back control of our online identities.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/an-ai-driven-influence-operation-is-spreading-pro-china-propaganda-across-youtube-219962">An AI-driven influence operation is spreading pro-China propaganda across YouTube</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/221401/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley is affiliated with the Australian Computer Society (MACS).</span></em></p>In what is colourfully termed a ‘brute force’ attack, hackers use bots to test millions of username and password combinations on different websites – until they find a match.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2031092023-06-22T12:32:00Z2023-06-22T12:32:00ZFear trumps anger when it comes to data breaches – angry customers vent, but fearful customers don’t come back<figure><img src="https://images.theconversation.com/files/530963/original/file-20230608-14786-a4sqhf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">One-third of customers will return to a hacked site without even changing their password, according to a recent study.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/young-asian-businesswoman-sitting-on-the-bench-in-royalty-free-image/1295580690">d3sign/Moment Collection/Getty Images</a></span></figcaption></figure><p><em>The <a href="https://theconversation.com/us/topics/research-brief-83231">Research Brief</a> is a short take about interesting academic work.</em></p>
<h2>The big idea</h2>
<p>When a person is notified of a data breach involving their personal information, if they react with a feeling of fear – as opposed to anger – they’re more likely to stop using the site. </p>
<p>That was the main finding of <a href="http://www.doi.org/10.1109/TEM.2022.3189599">a study I conducted</a> with three co-authors that examined which emotions lead customers to change their behavior after a breach. We found that angry customers, on the other hand, are more likely to vent on different social media platforms but then return to the breached site.</p>
<p>We surveyed 208 U.S. consumers, ages 18 to 60, and asked them to describe their feelings after being informed of a data breach on their favorite and frequently used website. Subscription websites, such as Netflix and Xbox Live, and free-to-use websites, such as Facebook and Snapchat, were considered. We then asked the participants to explain, in their own words, what actions they took in response.</p>
<p>We found that positive attitudes toward the website before the breach did not meaningfully affect whether consumers reengaged with the website after the breach, as some <a href="https://doi.org/10.1080/07421222.2018.1451962">prior research</a> has indicated. Instead, the emotional response of fear, in particular, weighed heavily on customers. </p>
<p>Fearful customers appeared to stop using the breached site to reduce their feelings of stress and vulnerability. Other customers resorted to providing false biographical details or removing credit card data, name and date of birth from the website as they continued using it. </p>
<h2>Why it matters</h2>
<p>In 2022 alone, U.S. <a href="https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/">customer data was compromised</a> in over 1,800 incidents, affecting over 400 million individuals. </p>
<p>Much of the prior research has focused on <a href="https://doi.org/10.1080/1062726X.2017.1356310">customer anger</a> in the wake of a data breach and the need for companies to placate angry customers or manage negative media coverage. To do so, companies may <a href="https://doi.org/10.1057/s41299-021-00121-9">engage crisis managers to contain the damage</a>, <a href="https://www.cnbc.com/2022/02/14/equifax-settlement-letters-going-out-regarding-free-credit-monitoring.html">partner with identity protection services</a>, <a href="https://www.cnn.com/2022/07/25/tech/tmobile-data-breach-settlement/index.html">pay fines or settlements</a>, or try to lure back customers with <a href="https://www.reuters.com/article/us-media-playstation-idINTRE7415J120110502">free services</a>. </p>
<p>However, our research shows that companies need to address fearful customers differently after a data breach has occurred – if they want to avoid customer loss. To do this, companies can work with their IT departments to identify customers who are no longer active after a breach and then reach out to them directly to assuage their fears. </p>
<h2>What still isn’t known</h2>
<p>It is not yet known how companies should react in the aftermath of a data breach. It isn’t clear why customers return. One likely explanation is <a href="https://doi.org/10.1016/j.chb.2017.12.001">privacy fatigue</a> – when customers believe keeping their online data secure is futile. </p>
<p>In our study we found one-third of customers returned after a breach without even changing their passwords. More than half returned after making some changes, such as removing their credit card data, changing their passwords or removing personal information.</p>
<p>This may be why researchers cannot provide reliable recommendations for handling data breaches. From a company’s standpoint, if customers will return anyway, there is little incentive to do more than the bare minimum to address a breach. </p>
<h2>What’s next</h2>
<p>We are now studying the behavior of people who have experienced multiple data breaches in the past year. We want to know how these customers change their behaviors, as well as how they judge the recovery efforts of the companies whose sites were breached.</p>
<p>Recent regulations, such as the EU’s 2018 <a href="https://gdpr.eu/what-is-gdpr/">data protection law</a> and newly introduced <a href="https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html">state bills</a> in the U.S. – along with updates to the <a href="https://www.oag.ca.gov/privacy/ccpa">California Consumer Privacy Act</a> – will force companies and data brokers to think more seriously about the kinds of data being collected and stored. Health care, retail, finance, social networking and other websites will need to make significant changes in how they inform customers of – and compensate them for – such data breaches.</p><img src="https://counter.theconversation.com/content/203109/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Rajendran Murthy does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Companies tend to focus on appeasing angry customers after a data breach. New research shows they may want to pay more attention to customers who are afraid to return to their site.Rajendran Murthy, Professor of Marketing, Rochester Institute of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1966432023-04-12T18:25:01Z2023-04-12T18:25:01ZWhat are passkeys? A cybersecurity researcher explains how you can use your phone to make passwords a thing of the past<figure><img src="https://images.theconversation.com/files/520297/original/file-20230411-894-eklq1e.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5472%2C3645&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Your phone could soon replace your passwords.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/young-african-american-man-using-mobile-phone-with-royalty-free-image/1402363586">Xavier Lorenzo/Moment via Getty Images</a></span></figcaption></figure><p>Passwords could soon become passé. </p>
<p>Effective passwords are cumbersome, all the more so when reinforced by two-factor authentication. But the need for authentication and secure access to websites is <a href="https://www.theguardian.com/technology/2023/apr/05/international-sting-takes-down-online-marketplace-of-stolen-identities">as great as ever</a>. Enter passkeys.</p>
<p><a href="https://developers.google.com/identity/passkeys">Passkeys</a> are digital credentials stored on your phone or computer. They are analogous to physical keys. You access your passkey by signing in to your device using a personal identification number (PIN), swipe pattern or <a href="https://csrc.nist.gov/glossary/term/biometrics">biometrics</a> like fingerprint or face recognition. You set your online accounts to trust your phone or computer. To break into your accounts, a hacker would need to physically possess your device and have the means to sign in to it.</p>
<p>As a <a href="https://scholar.google.com/citations?user=a4C-qg8AAAAJ&hl=en">cybersecurity researcher</a>, I believe that passkeys not only provide faster, easier and more secure sign-ins, they minimize human error in password security and authorization steps. You don’t need to remember passwords for every account and don’t need to use two-factor authentication.</p>
<h2>How passkeys work</h2>
<p>Passkeys are generated via <a href="https://www.techtarget.com/searchsecurity/definition/asymmetric-cryptography">public-key cryptography</a>. They use a public-private key pair to ensure a mathematically protected private relationship between users’ devices and the online accounts being accessed. It would be nearly impossible for a hacker to guess the passkey – hence the need to physically possess the device the passkey is accessed from.</p>
<p>Passkeys consist of a long private key – a long string of encrypted characters – created for a specific device. Websites cannot access the value of the passkey. Rather, the passkey verifies that a website possesses the corresponding public key. You can use the passkey from one device <a href="https://developers.google.com/identity/passkeys">to access a website using another device</a>. For example, you can use your laptop to access a website using the passkey on your phone by authorizing the login from your phone. And if you lose your phone, the passkey can be stored securely in the cloud with the phone’s other data, which can be restored to a new phone. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/hWYhPOxpgkI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Passkeys explained in 76 seconds.</span></figcaption>
</figure>
<h2>Why passkeys matter</h2>
<p>Passwords can be guessed, phished or otherwise stolen. Security experts advise users to make their passwords longer with more characters, mixing alphanumeric and special symbols. A good password should not be in the dictionary or in phrases, have no consecutive letters or numbers, but be memorable. Users should not share them with anyone. Last but not least, users should change passwords every six months at minimum for all devices and accounts. Using a <a href="https://www.wired.com/story/coronavirus-quarantine-start-using-password-manager/">password manager</a> to remember and update strong passwords helps but can still be a nuisance.</p>
<p>Even if you follow all of the best practices to keep your passwords safe, there is no guarantee of airtight security. Hackers are continuously developing and using software exploits, hardware tools and ever-advancing algorithms to break these defenses. Cybersecurity experts and malicious hackers are locked in an arms race.</p>
<p>Passkeys remove the onus from the user to create, remember and guard all their passwords. Apple, Google and Microsoft are <a href="https://techcrunch.com/2022/05/05/apple-google-microsoft-passwordless-logins/">supporting passkeys</a> and encourage users to use them instead of passwords. As a result, passkeys are likely to soon overtake passwords and password managers in the cybersecurity battlefield.</p>
<p>However, it will take time for websites to add support for passkeys, so passwords aren’t going to go extinct overnight. IT managers <a href="https://www.pcmag.com/opinions/try-passkeys-but-keep-your-password-manager">still recommend</a> that people use a password manager like <a href="https://1password.com/">1Password</a> or <a href="https://bitwarden.com/">Bitwarden</a>. And even Apple, which is encouraging the adoption of passkeys, has its <a href="https://www.wired.com/story/apple-new-password-manager-2fa-iphone-ipad/">own password manager</a>.</p><img src="https://counter.theconversation.com/content/196643/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sayonnha Mandal does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Passwords are both annoying to use and vulnerable to hackers. Google is moving to support stronger, easier-to-use passkeys (and other tech companies are close behind).Sayonnha Mandal, Lecturer in Interdisciplinary Informatics, University of Nebraska OmahaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1883002022-09-11T20:10:03Z2022-09-11T20:10:03ZApple’s PassKeys update could make traditional passwords obsolete<figure><img src="https://images.theconversation.com/files/479816/original/file-20220818-18-al5pgb.jpeg?ixlib=rb-1.1.0&rect=64%2C29%2C3818%2C2555&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Sometimes it seems like passwords have been with us forever, and yet every year we’re reminded how we <a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">still don’t</a> use them properly! </p>
<p>The annual publication of the “worst passwords” <a href="https://en.wikipedia.org/wiki/List_of_the_most_common_passwords">list</a> shows we haven’t become much more password savvy over the decade. And while several replacements for the humble password have been proposed, none have come close to the ease of using the traditional method. </p>
<p>But this changes today with the introduction of Passkeys – an update in Apple’s latest iOS 16 operating system. Passkeys could be the long-awaited solution to password malpractice, and the near-constant problem of compromised credentials.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/this-new-year-why-not-resolve-to-ditch-your-dodgy-old-passwords-172598">This New Year, why not resolve to ditch your dodgy old passwords?</a>
</strong>
</em>
</p>
<hr>
<h2>What’s wrong with passwords?</h2>
<p>The problem with passwords has been well documented. We choose weak ones, write them down (for others to see), share them, and re-use them on multiple websites. </p>
<p>The last of these is particularly problematic. Once your details are breached (and subsequently leaked), they’re vulnerable to “credential stuffing” – where cybercriminals take a set of login credentials and try them on multiple websites.</p>
<figure class="align-right ">
<img alt="A yellow sticky note with a password is stuck to a computer monitor." src="https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">People still stick passwords to their monitors!</span>
<span class="attribution"><span class="source">Author provided</span></span>
</figcaption>
</figure>
<p>“But I use a password manager,” you might say.</p>
<p>Well, that’s good. The standard advice for years has been to use password managers such as 1Password or LastPass. These let you create unique passwords for each website or service you use. So even if a website is compromised, only one password is revealed.</p>
<p>But this approach requires the ability to synchronise across all your devices – a feature not all password managers provide.</p>
<p>And even with a password manager, our passwords are still stored on the remote website we’re accessing. Although most websites store passwords in a secure (hashed) format, they are still <a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">routinely compromised</a>. It’s estimated more than two billion <a href="https://www.forgerock.com/resources/2022-consumer-identity-breach-report">sets of credentials</a> (including passwords) were <a href="https://haveibeenpwned.com/">leaked online</a> in 2021. </p>
<h2>Along come Passkeys</h2>
<p>Apple devices using the newest operating system release (iOS 16 or MacOS Ventura) will integrate a new password mechanism called Passkeys. Unfortunately iPad users will need to wait a <a href="https://9to5mac.com/2022/08/23/apple-delay-ipados-16-1-beta-now-available/">little longer</a> for the feature.</p>
<p>It’s worth noting you won’t be <em>forced</em> to use Passkeys, but your Apple device will prompt you with the opportunity to do so. Also, most websites will continue to support password access for people without the latest devices. </p>
<p>You’ll also have the option to use Apple’s secure cloud storage, iCloud, to back up your keys and share them across your Apple devices. </p>
<h2>How do they work?</h2>
<p>The concept behind Passkeys is <a href="https://support.apple.com/en-us/HT213305">relatively simple</a>. Every website you elect to use Passkeys on will securely generate a unique pair of secret codes (referred to as “keys”).</p>
<p>One of these is a public key, stored on the website you’re registered on. The other is a private key stored on your device. Both keys are related, but one can’t be used to get the other.</p>
<p>When you attempt to log in to the website, instead of entering a password, your device will ask you to verify your login using your device’s biometric unlocking mechanism. So you’ll either scan your face or your finger.</p>
<p>This deliberately limits Passkeys’ functionality to devices with biometric support (iPhones have offered Touch ID since 2013 and Face ID since 2017).</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-iphone-turns-15-a-look-at-the-past-and-future-of-one-of-the-21st-centurys-most-influential-devices-183137">The iPhone turns 15: a look at the past (and future) of one of the 21st century's most influential devices</a>
</strong>
</em>
</p>
<hr>
<p>Once your biometrics are verified, your device will use your private key to prove your identity to the website by tackling a complex mathematical “challenge” issued by the site. At no point is your private key sent across the internet to the website.</p>
<p>The response from your device can only be verified by the website, using the public key generated when you registered. And nobody can pretend to be you without your private key, which is safely stored on your device.</p>
<p>If a website is compromised, the public key alone is useless to cybercriminals.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A diagram of the four steps involved in passwordless web authentication, which happens between a user's device and the online site or service being accessed." src="https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=296&fit=crop&dpr=1 600w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=296&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=296&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=372&fit=crop&dpr=1 754w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=372&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=372&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Passwordless web authentication uses a combination of two keys, one public and one private.</span>
<span class="attribution"><span class="source">Paul Haskell-Dowland</span></span>
</figcaption>
</figure>
<p>Moreover, while biometric technology <em>can</em> be compromised, this is <a href="https://www.macrumors.com/2019/08/08/face-id-bypassed-glasses-tape/">relatively</a> <a href="https://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid">difficult</a>. To exploit a biometrics/PassKeys combination, a criminal would first need to obtain your device and then do a great job faking your face or fingerprint (or force one from you) – unlikely circumstances for most users.</p>
<h2>Usability barriers</h2>
<p>Passkeys will initially launch on Apple, but others are close behind. Microsoft will likely launch its own equivalent soon, although it may not initially <a href="https://www.fastcompanyme.com/technology/theres-a-big-problem-with-apple-and-googles-plans-to-nix-passwords/">be compatible</a> with Apple’s implementation. This could be an issue for people wanting to use both an iPhone and Windows laptop.</p>
<p>Moving forward, it’s important Apple, Google and Microsoft work together to ensure maximum compatibility across devices. </p>
<p>Until then, there are some workarounds. If you need to access an Apple Passkeys-protected service on your Windows laptop (or any other device), you can scan a QR code with your iPhone and provide your biometric login verification that way.</p>
<figure class="align-center ">
<img alt="QRCodes allow for the use of Passkeys on non-supported devices (or when using a friends computer)." src="https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=342&fit=crop&dpr=1 600w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=342&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=342&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=430&fit=crop&dpr=1 754w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=430&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=430&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">QR codes will allow for the use of Passkeys on non-supported devices (or when using a friend’s computer).</span>
<span class="attribution"><span class="source">Apple</span></span>
</figcaption>
</figure>
<p>This means users will always need to have their phone on them when they want to authenticate to a remote service – whereas currently they can just type out their password, or use a password manager synced across their devices. </p>
<p>For some users, needing to have their phone all the time could be enough to give Passkeys a pass altogether.</p>
<h2>The long tail of adoption</h2>
<p>The Passkeys approach has the potential to make passwords obsolete, but this will require organisations around the world to invest time, effort and money into it.</p>
<p>Big players like social media companies are well positioned to adopt Passkeys early on, but there will be millions of websites that may take years to do so – or may never.</p>
<p>Indeed, looking at the state of play today, many leading sites still <a href="https://doi.org/10.1016/j.cose.2022.102790">fall short</a> of applying existing good practice around passwords. So it’s hard to say exactly how quickly, and how widely, Passkeys will be implemented.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/four-ways-to-make-sure-your-passwords-are-safe-and-easy-to-remember-159164">Four ways to make sure your passwords are safe and easy to remember</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/188300/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Steven Furnell is affiliated with the Chartered Institute of Information Security.</span></em></p><p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The advice for years has been to use password managers. But even these don’t completely eliminate the risk of being compromised.Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversitySteven Furnell, Professor of Cyber Security, University of NottinghamLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1817752022-06-16T12:25:19Z2022-06-16T12:25:19ZHow math and language can combine to map the globe and create strong passwords, using the power of 3 random words<figure><img src="https://images.theconversation.com/files/466953/original/file-20220603-11-v71qob.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C9000%2C4985&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The math of threes is surprisingly powerful.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/yellow-number-three-glowing-amid-black-number-royalty-free-image/1305168885">MicroStockHub/iStock via Getty Images</a></span></figcaption></figure><p>It’s hard to imagine that three random words have the power to both map the globe and keep your private data secure. The secret behind this power is just a little bit of math.</p>
<p><a href="https://what3words.com/">What3words</a> is an app and web-based service that provides a geographic reference for every 3-meter-by-3-meter square on Earth using three random words. If your brain operates more naturally in the English measurement system, 3 meters is about 9.8 feet. So, you could think of them as roughly 10-foot-by-10-foot squares, which is about the size of a small home office or bedroom. For example, there’s a square in the middle of the Rochester Institute of Technology Tigers Turf Field coded to <a href="https://what3words.com/brilliance.bronze.inputs">brilliance.bronze.inputs</a>.</p>
<p>This new approach to geocoding is useful for several reasons. First, it’s <a href="https://tech.eu/2022/05/24/german-media-pool-backs-what3words-with-eur80-million-media-volume-for-geolocation-solution/">more precise</a> than regular street addresses. Also, three words are easier for humans to remember and communicate to one another than, say, detailed latitude and longitude measurements. This makes the system well suited for <a href="https://www.financialexpress.com/healthcare/healthtech/medulance-uses-life-saving-addressing-technology-what3words-to-reduce-incident-response-times/2532131/">emergency services</a>. Seeing these advantages, some car manufacturers are starting to <a href="https://www.zdnet.com/article/subaru-is-latest-car-maker-to-use-what3words-for-in-car-navigation/">integrate what3words into their navigation systems</a>. </p>
<h2>Ordered triples</h2>
<p>Here’s how three random words in English or any other language can identify such precise locations across the whole planet. The key concept is ordered triples. </p>
<p>Start with the basic assumption that the Earth is a sphere, recognizing that this is an <a href="https://oceanservice.noaa.gov/facts/earth-round.html">approximate truth</a>, and that its radius is <a href="https://sciencing.com/radius-earth-5895686.html">approximately 3,959 miles</a> (6,371 kilometers). To compute the <a href="https://youtu.be/GNcFjFmqEc8">surface area of the Earth</a>, use the formula 4πr<sup>2.</sup> With r = 3,959 (6,371), this works out to approximately 197 million square miles (510 million square kilometers). Remember: What3words is using 3-meter-by-3-meter squares, each of which contains 9 square meters of surface area. So, working in the metric system, Earth’s surface area is equivalent to 510 trillion square meters. Dividing 9 into 510 trillion reveals that uniquely identifying each square requires around 57 trillion ordered triples of three random words. </p>
<p>An ordered triple is just a list of three things in which the order matters. So “brilliance.bronze.inputs” would be considered a different ordered triple than “bronze.brilliance.inputs”. In fact, in the what3words system, <a href="https://what3words.com/bronze.brilliance.inputs">bronze.brilliance.inputs</a>
is on a mountain in Alaska, not in the middle of the RIT Tigers Turf Field, like <a href="https://what3words.com/brilliance.bronze.inputs">brilliance.bronze.inputs</a>.</p>
<p>The next step is figuring out how many words there are in a language, and whether there are enough ordered triples to map the globe. Some scholars <a href="https://englishlive.ef.com/blog/language-lab/many-words-english-language/">estimate there are more a million English words</a>; however, many of them are very uncommon. But even using only common English words, there are still plenty to go around. You can find many <a href="http://www.mieliestronk.com/wordlist.html">word lists</a> online. </p>
<p>The developers at what3words came up with a list of 40,000 English words. (The what3words system works in <a href="https://50-languages.what3words.com">50 different languages</a> with independently assigned words.) The next question is determining how many ordered triples of three random words can be made from a list of 40,000 words. If you allow repeats, as what3words does, there would be 40,000 possibilities for the first word, 40,000 possibilities for the second word, and 40,000 possibilities for the third word. The number of possible ordered triples would then be 40,000 times 40,000 times 40,000, which is 64 trillion. That provides plenty of “three random word” triples to cover the globe. The excess combinations also allow what3words to eliminate offensive words and words that would be easily confused for one another. </p>
<h2>Passwords you can actually remember</h2>
<p>While the power of three random words is being used to map the Earth, the <a href="https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words">U.K. National Cyber Security Centre (NCSC)</a> is also advocating their use as passwords. Password selection and related security analysis are more complicated than attaching three words to small squares of the globe. But a similar calculation is illuminating. If you string together an ordered triple of words – such as brilliancebronzeinputs – you get a nice long password that a human should be able to remember far more easily than a random string of letters, numbers and special characters designed to meet a set of <a href="https://pages.nist.gov/800-63-3/sp800-63b.html#appA">complexity rules</a>.</p>
<p>If you increase your word list beyond 40,000, you’ll get even more possible passwords. Using the “<a href="http://www.mieliestronk.com/wordlist.html">Corncob list</a>” of 58,000 English words, you could generate more than 195 trillion “three random word”-style passwords. </p>
<p>It’s important to note that there are a <a href="https://www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words">fair number of trade-offs</a> among the different approaches to <a href="https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0">password selection and complexity rules</a>. So, while “three random words” doesn’t give you a fail-safe for password security, the complexity of language does provide some amazing power in this realm as well.</p><img src="https://counter.theconversation.com/content/181775/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Mary Lynn Reed currently serves on the Board of Trustees for the Institute for Defense Analyses (IDA). IDA is a nonprofit corporation that operates three Federally Funded Research and Development Centers in the public interest. Dr. Reed previously served as a Defense Intelligence Senior Leader and the Chief of Mathematics Research at the National Security Agency.</span></em></p>A mathematician explains how language can keep your online accounts safe and pinpoint your location on the planet.Mary Lynn Reed, Professor of Mathematics, Rochester Institute of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1786022022-04-25T12:13:15Z2022-04-25T12:13:15ZHow do keys open locks?<figure><img src="https://images.theconversation.com/files/456980/original/file-20220407-14-jtyn21.jpg?ixlib=rb-1.1.0&rect=9%2C36%2C6029%2C3965&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The depths of the valleys on a key act like a code that must match the lock.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/close-up-of-key-in-lock-royalty-free-image/139625036">Robin Smith/The Image Bank via Getty Images</a></span></figcaption></figure><figure class="align-left ">
<img alt="" src="https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=293&fit=crop&dpr=1 600w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=293&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=293&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=368&fit=crop&dpr=1 754w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=368&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=368&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><em><a href="https://theconversation.com/us/topics/curious-kids-us-74795">Curious Kids</a> is a series for children of all ages. If you have a question you’d like an expert to answer, send it to <a href="mailto:curiouskidsus@theconversation.com">curiouskidsus@theconversation.com</a>.</em></p>
<hr>
<blockquote>
<p><strong>How are keys made, and how do they open locks? – Noli, age 12, Wisconsin</strong></p>
</blockquote>
<hr>
<p>Have you ever wondered how keys work? <a href="https://scholar.google.com/citations?user=s2Jfd_EAAAAJ&hl=en">I</a> teach a course in computer security where we learn how locks function – and also how they can be broken or bypassed. We do this because locks teach important principles about security in general.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A ruler is next to a key. Red arrows show how the key's intendations are evenly spaced." src="https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=447&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=447&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=447&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=562&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=562&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=562&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The spacing of the valleys is key.</span>
<span class="attribution"><span class="source">Scott Craver</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>If you look closely at a key, you’ll see its top edge has a bunch of V-shaped valleys. If you inspect the key more closely, perhaps with a ruler, you’ll notice the bottoms of these valleys are equally spaced. The depth of the valleys encodes a sequence that is accepted by the lock, with each valley contributing one value to the combination. </p>
<p>Inside the lock is a cylinder – the part that moves when you stick your key in and turn it. The key can turn only if all its valleys are the right depth for your particular lock.</p>
<p>But how does your lock detect whether your key’s valleys have the right sequence of depths?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A lock with its inner-workings exposed. Labeled are the shafts, pins and cylinder." src="https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=357&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=357&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=357&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=449&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=449&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=449&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A peek at the parts inside a lock.</span>
<span class="attribution"><span class="source">Scott Craver</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>Inside the lock are vertical shafts, one over each valley of the key. In each shaft is a pair of metal pins that can freely slide up and down. Depending on where the pins are, they can block the cylinder from turning and <a href="https://www.youtube.com/watch?v=smIdInCQ-kU">prevent the lock from opening</a>. This happens whenever a pin is partially sticking into or out of the cylinder.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Side by side photos showing the inside of a lock. The left image shows pins that are too high and too low. The right image shows the pins aligned." src="https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=201&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=201&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=201&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=252&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=252&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=252&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">For a lock to open, all the pins must be aligned.</span>
<span class="attribution"><span class="source">Scott Carver</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>When you stick a key in the lock, the pins fall into the valleys. If a valley is too high, it causes a pin to stick out and jam the cylinder. If a valley is too low, the pin sinks too low and the pin above it will sink into the cylinder and jam it. However, if the right key is inserted with the valleys at just the right depths, none of the pins get in the way. </p>
<p>Keys are made by <a href="https://www.youtube.com/shorts/bGIWwMQb4yk">placing a blank key into a grinding machine</a> that is programmed to carve out the exact valleys that are needed. A locksmith can also change a lock by removing its pins and fitting it with new ones to match a chosen key. </p>
<p>In computer security, we say that security relies on “something you know, something you have or something you are.” A password is an example of something you know. A key is an example of something you have. A fingerprint would be an example of something you are. But as you can see, a key is also very much like a password, except it is encoded by grinding a piece of metal. </p>
<p>For this reason, you shouldn’t ever post a picture of your house key on the internet. That would be like posting a picture of a credit card or a password – someone could use the photo to duplicate the key. </p>
<p>It is also possible to unlock or <a href="https://home.howstuffworks.com/home-improvement/household-safety/lock-picking1.htm">“pick” locks without a key</a>. By sliding a thin piece of metal into the cylinder and gently pushing the pins to the correct height one by one, locks can be opened. However, it takes a great deal of skill and practice to do this. </p>
<p>What does this teach us about security? First, we must make keys secret by making a very large number of possible keys, so that the right one is hard to guess or build. It’s the same for passwords. Second, it’s important to engineer a lock or computer program that requires every bit of the key or password to be exactly correct. </p>
<p>It’s important to study the inner workings of locks and computer programs to understand how their design might allow someone to break them.</p>
<hr>
<p><em>Hello, curious kids! Do you have a question you’d like an expert to answer? Ask an adult to send your question to <a href="mailto:curiouskidsus@theconversation.com">CuriousKidsUS@theconversation.com</a>. Please tell us your name, age and the city where you live.</em></p>
<p><em>And since curiosity has no age limit – adults, let us know what you’re wondering, too. We won’t be able to answer every question, but we will do our best.</em></p><img src="https://counter.theconversation.com/content/178602/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Scott Craver does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A computer security expert explains how keys work – and how they are like passwords.Scott Craver, Associate Professor of Electrical and Computer Engineering, Binghamton University, State University of New YorkLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1778932022-02-24T19:12:22Z2022-02-24T19:12:22ZUkraine conflict brings cybersecurity risks to US homes, businesses<figure><img src="https://images.theconversation.com/files/448417/original/file-20220224-19-v7gniv.jpg?ixlib=rb-1.1.0&rect=46%2C0%2C5150%2C3423&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Regular Americans could find themselves targets of Russian cyberwarfare.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/mixed-race-soldier-using-laptop-and-cell-phone-on-royalty-free-image/565972683">Roberto Westbrook via Getty Images</a></span></figcaption></figure><p>All cybersecurity is local, regardless of the world situation. That means it’s personal, too – in Americans’ homes, computers and online accounts. As violence spreads thousands of miles away from the U.S., my strong recommendation is that all Americans remain vigilant and <a href="https://www.cisa.gov/uscert/ncas/tips">check on</a> their <a href="https://www.cisa.gov/uscert/ncas/tips/ST15-002">own cybersecurity</a>. </p>
<p>While organizations reinforce their cybersecurity posture during this period of geopolitical tension, I also suggest people regularly ensure their computer, mobile devices and software are updated, double-check that all <a href="https://theconversation.com/using-truly-secure-passwords-6-essential-reads-84092">passwords are secure</a> and all key accounts are protected by <a href="https://theconversation.com/the-age-of-hacking-brings-a-return-to-the-physical-key-73094">two-factor authentication</a>. Beware that <a href="https://www.npr.org/2021/05/29/1001536904/what-we-know-about-the-russian-phishing-hack">phishing attacks</a> may increase, seeking to <a href="https://theconversation.com/you-know-how-to-identify-phishing-emails-a-cybersecurity-researcher-explains-how-to-trust-your-instincts-to-foil-the-attacks-169804">trick people into clicking links</a> that grant attackers access to computer systems. These are a few simple steps that can help increase one’s cybersecurity preparedness both now and for the future.</p>
<p>Recent Russian-linked cyberattacks, including against <a href="https://www.energy.gov/ceser/colonial-pipeline-cyber-incident">energy pipelines</a>, <a href="https://www.rpc.senate.gov/policy-papers/the-solarwinds-cyberattack">federal government services</a>, and attacks on <a href="https://theconversation.com/hackers-seek-ransoms-from-baltimore-and-communities-across-the-us-118089">local governments</a>, <a href="https://www.nbcnews.com/news/us-news/hackers-have-taken-down-dozens-911-centers-why-it-so-n862206">first responders</a>, <a href="https://theconversation.com/defending-hospitals-against-life-threatening-cyberattacks-93052">hospitals</a> and private corporations, show the potential for Russian cyber warriors to put U.S. civilians at risk. All these entities should be more vigilant over the coming days.</p>
<p>In the days before Russia invaded Ukraine, a series of <a href="https://www.pbs.org/newshour/world/cyberattacks-take-down-ukrainian-government-and-bank-websites">cyberattacks disrupted Ukrainian government and business websites</a> – despite Ukraine’s <a href="https://www.npr.org/2022/01/29/1076699748/ukraine-russian-attack-preparation">cyberdefense teams’ being prepared</a> to defend against them. </p>
<p>With many Americans working from home because of the pandemic, the U.S. is more vulnerable than it might have been otherwise: Home networks and computers are <a href="https://www.cisa.gov/uscert/ncas/tips/ST15-002">often less protected</a> than those at an office – which makes them enticing targets.</p>
<p>Russian cyber capabilities, and <a href="https://www.msn.com/en-us/news/world/putin-lashes-out-with-ominous-threat-to-ukrainians-and-other-countries/ar-AAUf6ay">threats from Russian President Vladimir Putin</a>, mean that what might look like random technical glitches on personal computers, websites and home networks may not be accidental. They could be precursors to – or actual parts of – a larger cyberattack. Therefore, ongoing vigilance is more crucial than ever.</p>
<p>[<em>Like what you’ve read? Want more?</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-likethis">Sign up for The Conversation’s daily newsletter</a>.]</p><img src="https://counter.theconversation.com/content/177893/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing on remedying the password problem.</span></em></p>Russia’s cyberattack capabilities can be applied to US targets, including regular Americans’ homes and businesses.Richard Forno, Principal Lecturer, Cybersecurity and Assistant Director, UMBC Cybersecurity Center, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1722572022-01-03T10:33:37Z2022-01-03T10:33:37ZStop blaming people for choosing bad passwords – it’s time websites did more to help<figure><img src="https://images.theconversation.com/files/437289/original/file-20211213-27-gnk86t.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6196%2C4118&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/portrait-young-african-business-man-sitting-1407153674">Damir Khabirov/Shutterstock</a></span></figcaption></figure><p>Year after year, passwords like “123456”, “qwerty” and even “password” are found to be <a href="https://nordpass.com/most-common-passwords-list/">the most popular</a> choices and 2021 was no exception.</p>
<p>These reports generally come with the same advice to users: create better passwords to protect your security online. Although this is may well be true, it’s also time to realise that years of promoting this message has had little or no effect. </p>
<p>To improve things, I believe we need to stop blaming people and instead put the onus on websites and services to encourage and enforce better “cyber hygiene”.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/most-common-passwords-of-2021-heres-what-to-do-if-yours-makes-the-list-171985">Most common passwords of 2021: here's what to do if yours makes the list</a>
</strong>
</em>
</p>
<hr>
<p>Of course, it’s easy to point the finger at the users – they’re ultimately the ones making the poor password choices. But at the same time, it’s now <a href="https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security">well known</a> that people commonly make these choices. So it’s fair to assume that without guidance or restrictions to prevent weak passwords, they’re likely to continue with the same habits. </p>
<p>Nonetheless, we have successive generations of users who are not told what a good password looks like, nor prevented from making lazy choices. It’s not hard to find examples of websites that will accept the very worst passwords without complaint. It’s similarly easy to find sites that require users to create passwords – yet give them no guidance in doing so. Or sites that will offer feedback that a user’s password choice is weak, but allow it anyway. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1462866016703332361"}"></div></p>
<h2>How providers can do better</h2>
<p>If you’re responsible for running a website or a service that will accept the likes of “123456”, “qwerty” or “password”, it’s time to rethink your system. If you let users get away with bad choices, they will believe that they are acceptable and continue this bad practice. </p>
<p>On the contrary, by implementing stronger protocols, you can help to address the problem at its source. Websites should have processes in place to filter out poor passwords – a “blacklist” of common choices.</p>
<p>And while it can be useful to offer guidance for users at the point of password creation, sites should stop insisting on things that authoritative organisations like the <a href="https://www.ncsc.gov.uk/collection/passwords/updating-your-approach">UK National Cyber Security Centre</a> and the <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">US National Institute of Standards and Technology</a> now say ought not to be enforced. For example, they advise against the requirement for password complexity (like including upper and lower case letters, numbers and punctuation symbols). </p>
<p>Both organisations indicate that increasing password length is more important than complexity. This is because longer passwords are more resistant to <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute force cracking</a> (where attackers try all letter, number and symbol combinations to find a match) and less complex passwords can be easier to remember.</p>
<p>Yet many sites continue to demand complexity and impose upper limits on length, in the process often blocking perfectly reasonable password choices that our browsers and other tools can automatically generate for us.</p>
<figure class="align-center ">
<img alt="A young woman lying on a couch using a smartphone." src="https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Weak passwords leave many people vulnerable to hackers.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/woman-lying-on-sofa-using-smartphone-1297435480">Undrey/Shutterstock</a></span>
</figcaption>
</figure>
<p>You may wonder why this is important. If people want to choose weak passwords and put themselves at risk, then why should that become the provider’s problem? One argument is that if a service is charged with protecting users’ personal data (as providers are through <a href="https://gdpr-info.eu/">GDPR</a>) then it doesn’t make a lot of sense to allow users to leave themselves vulnerable by choosing weak passwords.</p>
<p>It’s also worth noting that in some cases one user’s weak password could give an attacker <a href="https://comtact.co.uk/penetration-tester-tales-password-are-a-security-weak-spot/">a foothold into the system</a> from which to exploit other weaknesses and increase their access. So it’s arguably in the provider’s interest to minimise these opportunities and protect other people’s data in the process.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/four-ways-to-make-sure-your-passwords-are-safe-and-easy-to-remember-159164">Four ways to make sure your passwords are safe and easy to remember</a>
</strong>
</em>
</p>
<hr>
<h2>Passwords aren’t going anywhere</h2>
<p>We’re now seeing a move towards <a href="https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/">passwordless authentication</a>, but this name in itself emphasises the dominance of password-based methods. Their <a href="https://www.cnet.com/news/gates-predicts-death-of-the-password/">death was predicted</a> more than 15 years ago, and yet they’re still here. It’s safe to assume they’re going to be with us for some time yet. </p>
<p>So we have a choice: take collective responsibility to get the basics right – which involves action by users and providers – or maintain the collective effort to shrug our shoulders and complain about users’ behaviour.</p>
<p>For those providing and operating password-based systems, sites and services, the call to action is hopefully clear: check what your site permits and see if it should do better. If it lets weak passwords pass, then either change this, or at a minimum do something that tries to deter users from choosing them.</p>
<p>If you are reading this as a user and you’re looking for some good advice on creating better passwords, the UK National Cyber Security Centre provides some <a href="https://www.ncsc.gov.uk/cyberaware/home">useful tips</a>. These include combining three random words to give yourself longer but more memorable passwords, and saving your passwords securely in your browser to further reduce the burden of remembering passwords across multiple sites. So even if providers are not doing enough, there are still some things you can do to protect yourself.</p><img src="https://counter.theconversation.com/content/172257/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Steven Furnell is affiliated with the Chartered Institute of Information Security.</span></em></p>It’s time to think differently about how we address the password problem.Steven Furnell, Professor of Cyber Security, University of NottinghamLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1725982022-01-02T18:46:27Z2022-01-02T18:46:27ZThis New Year, why not resolve to ditch your dodgy old passwords?<figure><img src="https://images.theconversation.com/files/437494/original/file-20211214-17-eck9dj.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C4937%2C3316&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Elise Amendola/AP</span></span></figcaption></figure><p>Most of the classic New Year resolutions revolve around improving your health and lifestyle. But this year, why not consider cleaning up your passwords too?</p>
<p>We all know the habits to avoid, yet so many of us do them anyway: using predictable passwords, never changing them, or writing them on sticky notes on our monitor. We routinely ignore the <a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">recommendations for good passwords</a> in the name of convenience.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/0SkdP36wiAU?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">What’s wrong with your pa$$w0rd?</span></figcaption>
</figure>
<p>Choosing short passwords containing common names or words is likely to lead to trouble. Hackers can often guess a person’s passwords simply by using a computer to work through a long list of commonly used words.</p>
<p>The <a href="https://nordpass.com/most-common-passwords-list/">most popular choices</a> have changed very little over time, and include numerical combinations such as “123456” (the most common password for five years in a row), “love”, keyboard patterns such as “qwerty” and, perhaps most ludicrously, “password” (or its Portuguese translation, “senha”). </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=210&fit=crop&dpr=1 600w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=210&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=210&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=264&fit=crop&dpr=1 754w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=264&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=264&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">2017-2019* list of common passwords from SplashData, 2020-2021# from NordPass.</span>
</figcaption>
</figure>
<p>Experts have long advised against using words, places or names in passwords, although you can strengthen this type of password by jumbling the components into sequences with a mixture of upper- and lowercase characters, as long as you do it thoroughly.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?</a>
</strong>
</em>
</p>
<hr>
<p>Complex rules often lead users to choose a word or phrase and then substitute letters with numbers and symbols (such as “Pa33w9rd!”), or add digits to a familiar password (“password12”). But so many people do this that these techniques don’t actually make passwords stronger. </p>
<p>It’s better to start with a word or two that isn’t so common, and make sure you mix things up with symbols and special characters in the middle. For example, “wincing giraffe” could be adapted to “W1nc1ng_!G1raff3”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">Choose better passwords with the help of science</a>
</strong>
</em>
</p>
<hr>
<p>These secure passwords can be harder to remember, to the extent you might end up having to write them down. That’s OK, as long as you keep the note somewhere secure (and definitely not stuck to your monitor).</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=348&fit=crop&dpr=1 600w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=348&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=348&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=437&fit=crop&dpr=1 754w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=437&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=437&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Passwords on a sticky note are still a bad idea in the workplace.</span>
</figcaption>
</figure>
<p>Reusing passwords is another common error – and one of the biggest. Past data leaks, such as that suffered by <a href="https://www.ncsc.gov.uk/blog-post/linkedin-2012-hack-what-you-need-know">LinkedIn in 2012</a>, mean billions of old passwords are now circulating among cyber criminals. </p>
<p>This has given rise to a practice called “<a href="https://www.wired.com/story/what-is-credential-stuffing/">credential stuffing</a>” – taking a leaked password from one source and trying it on other sites. If you’re still using the same old password for multiple email, social media or financial accounts, you’re at risk of being compromised.</p>
<h2>Pro tip: use a password manager</h2>
<p>The simplest and most effective route to good password hygiene is to use a <a href="https://www.choice.com.au/electronics-and-technology/internet/internet-privacy-and-safety/buying-guides/password-managers">password manager</a>. This lets you use unique strong passwords for all your various logins, without having to remember them yourself.</p>
<p>Password managers allow you to store all of your passwords in one place and to “lock” them away with a strong level of protection. This can be a single (strong) password, but can also include face or fingerprint recognition, depending on the device you are using. Although there is some risk associated with storing your passwords in one place, experts consider this much less risky than using the same password for multiple accounts.</p>
<p>The password manager can automatically create strong, randomised passwords for each different service you use. This means your LinkedIn, Gmail and eBay accounts can no longer be accessed by someone who happens to guess the name of your childhood pet dog. </p>
<p>If one password is leaked, you only have to change that one – none of the others are compromised.</p>
<p>There are <a href="https://en.wikipedia.org/wiki/List_of_password_managers">many password managers</a> to choose from. Some are free (such as Keepass) or “freemium” (offering the option to upgrade for more functionality like Nordpass), while others charge a one-off fee or recurring subscription (such as 1Password). Most allow you to securely sync your passwords across all your devices, and some let you safely share passwords between family members or work groups.</p>
<p>You can also use the password managers built into most web browsers or operating systems (with many phones offering this functionality in the browser or natively). These tend to have fewer features and may pose compatibility issues if you want to access your password from different browsers or platforms.</p>
<p>Password managers take a bit of getting used to, but don’t be too daunted. When creating a new account on a website, you let the password manager create a unique (complex) password and store it straight away – there’s no need to think of one yourself!</p>
<p>Later, when you want to access that account again, the password manager fills it in automatically. This is either through direct integration with the browser (typically on computers) or through a separate application on your mobile device. Most password managers will automatically “lock” after a period of time, prompting for the master password (or face/finger verification) before allowing access again.</p>
<h2>Protect your most important passwords</h2>
<p>If you don’t like the sound of a password manager, at the very least change your “critical” account passwords so each one is strong and unique. Financial services, email accounts, government services, and work systems should each have a separate, strong password. </p>
<p>Even if you write them down in a book (kept safely locked away) you will significantly reduce your risk in the event of a data breach on any of those platforms.</p>
<p>Remember, however, that some sites provide delegated access to others. Many e-commerce websites, for example, give you the option of logging in with your Facebook, Google or Apple account. This doesn’t expose your password to greater risk, because the password itself is not shared. But if the password is compromised, using it would grant access to those delegated sites. It is usually best to create unique accounts - and use your password manager to keep them safe.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebook-hack-reveals-the-perils-of-using-a-single-account-to-log-in-to-other-services-104227">Facebook hack reveals the perils of using a single account to log in to other services</a>
</strong>
</em>
</p>
<hr>
<p>Adopting a better approach to passwords is a simple way to reduce your cyber-security risks. Ideally that means using a password manager, but if you’re not quite ready for that yet, at least make 2022 the year you ditch the sticky notes and pets’ names.</p><img src="https://counter.theconversation.com/content/172598/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Lorrie Cranor receives funding from Bosch, Carnegie Corporation of New York, Carnegie Mellon CyLab, DARPA, DuckDuckGo, Facebook, an endowed professorship established by the founders of FORE Systems, Google, Highmark Health, Innovators Network Foundation, NSA, and NSF. She is affiliated with the Computing Research Association, the Future of Privacy Forum, the Aspen Institute Cybersecurity Group, the Center for Cybersecurity Policy and Law, and the Consumer Reports Digital Lab Advisory Council.</span></em></p><p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Start 2022 by improving your password hygiene. Ideally you can use a password manager, but at the very least make sure your financial, social and work accounts each has their own strong, unique login.Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLorrie Cranor, Professor of Computer Science and of Engineering & Public Policy, Carnegie Mellon UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1722032021-11-29T13:34:11Z2021-11-29T13:34:11ZHow vulnerable is your personal information? 4 essential reads<figure><img src="https://images.theconversation.com/files/433600/original/file-20211124-18-1bwu0dl.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C2000%2C1128&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Chances are some of your data has already been stolen, but that doesn't mean you should shrug data breaches off.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/illustration/dark-red-bg-with-data-breach-glitch-effect-royalty-free-illustration/1159096315">WhataWin/iStock via Getty Images</a></span></figcaption></figure><p>When you enter your personal information or credit card number into a website, do you have a moment of hesitation? A nagging sense of vulnerability prompted by the parade of headlines about data breaches and hacks? If so, you probably push those feelings aside and hit the submit button, because, well, you need to shop, apply for that job, file that insurance claim, apply for that loan, or do any of the other sensitive activities that take place online these days.</p>
<p>First, the bad news. If you regularly enter sensitive information online, chances are you’ve had some data stolen somewhere at some point. By one estimate, the average American <a href="https://www.techrepublic.com/article/average-us-citizen-had-personal-information-stolen-at-least-4-times-in-2019/">had data stolen at least four times</a> in 2019. And the hits keep coming. For instance, a data breach at the wireless carrier T-Mobile reported in August 2021 <a href="https://www.vice.com/en/article/akg8wg/tmobile-investigating-customer-data-breach-100-million">affected 100 million people</a>. </p>
<p>Now for some good news. Not all hacks are the same, and there are steps you can take to protect yourself. The Conversation gathered four articles from our archives that illuminate the types of threats to your online data, what data thieves do with your stolen information, and what you can do about it.</p>
<h2>1. Take stock of your risk</h2>
<p>Not all cyberattacks are the same, and not all personal data is the same. Was an organization that has your information the victim of a ransomware attack? Chances are your information won’t be stolen, though the organization’s copy of it could be rendered unusable. </p>
<p>If an organization you deal with did have customer data stolen, what data of yours did the thieves get? <a href="https://theconversation.com/profiles/merrill-warkentin-570030">Merrill Warkentin</a>, a professor of information systems at Mississippi State University, writes that you should ask yourself some questions to <a href="https://theconversation.com/ransomware-data-breach-cyberattack-what-do-they-have-to-do-with-your-personal-information-and-how-worried-should-you-be-162404">assess your risk</a>. If the stolen data was your purchase history, maybe that won’t be used to hurt you. But if it was your credit card number, that’s a different story.</p>
<p>Data breaches are a good opportunity “to change your passwords, especially at banks, brokerages and any site that retains your credit card number,” he wrote. In addition to using unique passwords and two-factor authentication, “you should also consider closing old unused accounts so that the information associated with them is no longer available.” </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ransomware-data-breach-cyberattack-what-do-they-have-to-do-with-your-personal-information-and-how-worried-should-you-be-162404">Ransomware, data breach, cyberattack: What do they have to do with your personal information, and how worried should you be?</a>
</strong>
</em>
</p>
<hr>
<h2>2. The market for your stolen data</h2>
<p>Most data breaches are financial crimes, but the hackers generally don’t use the stolen data themselves. Instead, they sell it on the black market, usually via <a href="https://qz.com/260716/these-are-the-websites-where-hackers-flip-stolen-credit-card-data-after-an-attack/">websites on the dark web</a>, for other criminals and scammers to use.</p>
<p>This black market is awash in personal data, so much so that your information is probably worth a lot less than you would guess. For example, stolen PayPal account information <a href="https://www.privacyaffairs.com/dark-web-price-index-2021/">goes for $30</a>. </p>
<p>Buyers <a href="https://theconversation.com/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it-158934">use stolen data in several ways</a>, writes <a href="https://theconversation.com/profiles/ravi-sen-1224935">Ravi Sen</a>, an associate professor of information and operations management at Texas A&M University. Common uses are stealing your money or identity. “Credit card numbers and security codes can be used to create clone cards for making fraudulent transactions,” he writes. “Social Security numbers, home addresses, full names, dates of birth and other personally identifiable information can be used in identity theft.”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it-158934">Here’s how much your personal information is worth to cybercriminals – and what they do with it</a>
</strong>
</em>
</p>
<hr>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/jYOhtd-87n8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The T-Mobile breach revealed in August 2021 exemplifies the challenges consumers face when hackers steal their information from large corporations.</span></figcaption>
</figure>
<h2>3. How to prepare for the inevitable</h2>
<p>With all this bad news, it’s tempting to throw up your hands and assume there’s nothing you can do. <a href="https://theconversation.com/profiles/w-david-salisbury-664918">W. David Salisbury</a>, a professor of cybersecurity management, and <a href="https://theconversation.com/profiles/rusty-baldwin-664994">Rusty Baldwin</a>, a research professor of computer science at the University of Dayton, write that there are <a href="https://theconversation.com/data-breaches-are-inevitable-heres-how-to-protect-yourself-anyway-109763">steps you can take to protect yourself</a>.</p>
<p>[<em>Over 140,000 readers rely on The Conversation’s newsletters to understand the world.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-140ksignup">Sign up today</a>.]</p>
<p>“Think defensively about how you can protect yourself from an almost inevitable attack, rather than assuming you’ll avoid harm,” they write. The key is focusing on the information that’s most important to protect. Uppermost are your passwords, particularly for banking and government services. Use different passwords for different sites, and use long – though not necessarily complicated – passwords, they write.</p>
<p>The most effective way to protect your data is to add another layer of security via multifactor authentication. And rather than rely on websites to text or email you authentication codes, which can be hijacked, you should use an app or USB device that uses <a href="https://ssd.eff.org/en/module/deep-dive-end-end-encryption-how-do-public-key-encryption-systems-work">public-key encryption</a>, they write.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/data-breaches-are-inevitable-heres-how-to-protect-yourself-anyway-109763">Data breaches are inevitable – here's how to protect yourself anyway</a>
</strong>
</em>
</p>
<hr>
<h2>4. Don’t make it easy for the thieves</h2>
<p>The risk to your personal information isn’t just having it stolen from a third party. <a href="https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams">Phishing attacks</a> can get you to do the thieves’ work for them. These emails fool people into entering personal information and passwords on fake websites controlled by data thieves.</p>
<p>It turns out that you’re probably pretty good at sensing when something is off about an email message. <a href="https://theconversation.com/profiles/rick-wash-1266664">Rick Wash</a>, an associate professor of information science and cybersecurity at Michigan State University, found that the average person <a href="https://theconversation.com/you-know-how-to-identify-phishing-emails-a-cybersecurity-researcher-explains-how-to-trust-your-instincts-to-foil-the-attacks-169804">is as good as a cybersecurity expert</a> at sensing when something is weird about an email message. </p>
<p>The trick to protecting yourself from phishing attacks is remembering that phishing exists and could explain what you’re sensing about an email message. </p>
<p>“The people who were good at noticing phishing messages reported stories about specific phishing incidents they had heard about,” he wrote. “Familiarity with specific phishing incidents helps people remember phishing generally.”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/you-know-how-to-identify-phishing-emails-a-cybersecurity-researcher-explains-how-to-trust-your-instincts-to-foil-the-attacks-169804">You know how to identify phishing emails – a cybersecurity researcher explains how to trust your instincts to foil the attacks</a>
</strong>
</em>
</p>
<hr>
<p><em>Editor’s note: This story is a roundup of articles from The Conversation’s archives.</em></p><img src="https://counter.theconversation.com/content/172203/count.gif" alt="The Conversation" width="1" height="1" />
Data breaches have become a fact of life. Here are articles from The Conversation that detail the threat, why it happens and what you can do to protect yourself.Eric Smalley, Science + Technology EditorLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1719852021-11-18T14:41:26Z2021-11-18T14:41:26ZMost common passwords of 2021: here’s what to do if yours makes the list<figure><img src="https://images.theconversation.com/files/432353/original/file-20211117-13-9srnc3.jpg?ixlib=rb-1.1.0&rect=17%2C0%2C5973%2C3997&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/woman-typing-password-her-laptop-computer-1117015901">Thomas Andreas/Shutterstock</a></span></figcaption></figure><p>If you use “123456”, “password” or “qwerty” as a password, you’re probably aware that you’re leaving yourself vulnerable to hackers. But you’re also not alone – these are three of the top ten most common passwords around the world, according to a <a href="https://nordpass.com/most-common-passwords-list/">new report</a>.</p>
<p>In partnership with independent researchers, password management service NordPass complied millions of passwords into a dataset to determine the 200 most commonly used passwords around the world in 2021.</p>
<p>They analysed the data and presented results across 50 countries, looking at how popular various choices were in different parts of the world. They also looked at password trends by gender.</p>
<iframe title="Top 10 most common passwords globally" aria-label="table" id="datawrapper-chart-jOmug" src="https://datawrapper.dwcdn.net/jOmug/2/" scrolling="no" frameborder="0" style="border: none;" width="100%" height="510"></iframe>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/your-brain-is-unique-heres-how-it-could-be-used-as-the-ultimate-security-password-74311">Your brain is unique – here's how it could be used as the ultimate security password</a>
</strong>
</em>
</p>
<hr>
<p>The findings show password choices are often attached to cultural references. For example, people across several countries take inspiration from their favourite football team. In the UK, “liverpool” was the third most popular password, with 224,160 hits, while the name of Chilean football club “colocolo” was used by 15,748 people in Chile, making it the fifth most common choice.</p>
<p>In some countries passwords relating to religion were popular. For example, “christ” was the 19th most common password used in Nigeria, used 7,169 times. Meanwhile, “bismillah”, an Arabic phrase meaning in the name of Allah, was used by 1,599 people in Saudi Arabia – the 30th most common choice.</p>
<p>The report also reflected differences between genders. Women tend to use more positive and affectionate words and phrases such as “sunshine” or “iloveyou”, while men often use sports-related passwords. In some countries, men use more swear words than women. </p>
<p>While music-themed passwords were popular across both genders, choices like “onedirection” or “justinbieber” were more popular among women, whereas men favoured bands such as “metallica” and “slipknot”.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/online-security-wont-improve-until-companies-stop-passing-the-buck-to-the-customer-75274">Online security won't improve until companies stop passing the buck to the customer</a>
</strong>
</em>
</p>
<hr>
<h2>Choose long and complex passwords</h2>
<p>Passwords remain the main authentication mechanism for computers and network-based products and services. But we know people continue to choose weak passwords and often don’t manage them securely, leaving themselves vulnerable to online security threats.</p>
<p>Weak passwords are easy to guess and can be cracked with minimal difficulty by attackers using <a href="https://www.cloudflare.com/en-gb/learning/bots/brute-force-attack/">brute-force methods</a> (trying all letter, number and symbol combinations to find a match). They are also easy targets for a <a href="https://www.sciencedirect.com/topics/computer-science/dictionary-attack">dictionary attack</a>, which is a systematic method attackers use to guess a password, trying many common words and variations of these.</p>
<figure class="align-center ">
<img alt="A man using a smartphone in a cafe." src="https://images.theconversation.com/files/432428/original/file-20211117-17-hdekn9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/432428/original/file-20211117-17-hdekn9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/432428/original/file-20211117-17-hdekn9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/432428/original/file-20211117-17-hdekn9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/432428/original/file-20211117-17-hdekn9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/432428/original/file-20211117-17-hdekn9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/432428/original/file-20211117-17-hdekn9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Simple number combinations made up the majority of the top ten most popular passwords.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/film-effect-handsome-african-student-shirt-435536992">WAYHOME studio/Shutterstock</a></span>
</figcaption>
</figure>
<p>To overcome the security issues associated with password-based authentication systems, researchers and developers are now focused on creating authentication systems which <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9152694">don’t rely</a> on passwords at all.</p>
<p>In the meantime, two-factor authentication (2FA) or multi-factor authentication (MFA) methods are a good way to secure your accounts. These methods combine a password with biometrics information (for example, a face scan or fingerprint) or something you have, like a token.</p>
<p>You can create a password that’s both strong and memorable by combining <a href="https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0">three random words</a>. <a href="https://www.ncsc.gov.uk/collection/passwords/updating-your-approach">Machine-generated passwords</a> are also difficult to guess and less likely to appear in password dictionaries used by attackers.</p>
<p>But of course, all of this is easier said than done. One of the challenges we face in today’s digital age is password overload. And it can be difficult to remember complex passwords, particularly machine-generated ones. </p>
<p>So it’s a good idea to use a reliable password manager for this purpose. Relying on your web browser to remember your passwords is less secure – it’s possible attackers can exploit vulnerabilities in the browser to access stored passwords.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-know-how-your-data-is-used-or-how-to-protect-it-youre-not-alone-but-you-can-improve-your-data-literacy-169431">Don't know how your data is used, or how to protect it? You're not alone – but you can improve your data literacy</a>
</strong>
</em>
</p>
<hr>
<p>NordPass’ findings, although not published in a peer-reviewed journal, align with what we know from <a href="https://www.teampassword.com/blog/top-50-worst-passwords-of-2019">similar lists</a> published elsewhere – that the most popular passwords are weak.</p>
<p>Hopefully, if you see one of your passwords on this list, it will be impetus to change it to something stronger. Ethical hackers – people who work to prevent computers and networks from being hacked – could also use these insights for good. On the other hand, we have to acknowledge the possibility that hackers could use this information to target password attacks. This should be all the more reason to strengthen your passwords.</p><img src="https://counter.theconversation.com/content/171985/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nothing to disclose.</span></em></p><p class="fine-print"><em><span>Chaminda Hewage does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Creating and managing strong passwords is easier said than done. But it’s worth doing to protect your security online.Chaminda Hewage, Reader in Data Security, Cardiff Metropolitan UniversityElochukwu Ukwandu, Lecturer in Computer Security, Department of Computer Science, Cardiff Metropolitan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1591642021-05-05T10:55:24Z2021-05-05T10:55:24ZFour ways to make sure your passwords are safe and easy to remember<figure><img src="https://images.theconversation.com/files/397072/original/file-20210426-13-1l50s80.jpg?ixlib=rb-1.1.0&rect=181%2C107%2C5277%2C3474&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Many still make their passwords too simple.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/strong-weak-easy-password-note-pad-1197236665">Shutterstock/Vitalii Vodolazskyi</a></span></figcaption></figure><p>For more than 15 years, there have been various predictions from tech leaders about the death of passwords. Bill Gates predicted it <a href="https://www.cnet.com/news/gates-predicts-death-of-the-password/">back in 2004</a> and Microsoft has <a href="https://www.neowin.net/news/microsoft-2021-is-the-year-passwords-die/">predicted it for 2021</a>. There have been numerous similar proclamations in between, alongside ongoing criticism of passwords as an inadequate means of protection. </p>
<p>Yet passwords remain a common aspect of cybersecurity, something people use every day. What’s more, passwords show little sign of disappearing yet. But many people <a href="https://theconversation.com/from-password-to-1234-why-we-still-fail-the-online-security-test-22357">still use them badly</a> and seem unaware of recommended good practice.</p>
<p>It’s very common for cybersecurity experts and <a href="https://theconversation.com/online-security-wont-improve-until-companies-stop-passing-the-buck-to-the-customer-75274">companies to blame users</a> for using passwords poorly, without recognising that systems permit their poor choices. </p>
<p>Many websites offer no upfront guidance on how to choose the passwords they require us to have, perhaps assuming we know these things already or can find it out elsewhere. But the fact that people persist <a href="https://nordpass.com/most-common-passwords-list/">in using weak passwords</a> suggests this is an optimistic view.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/four-steps-to-a-simpler-safer-password-system-27471">Four steps to a simpler, safer password system</a>
</strong>
</em>
</p>
<hr>
<h2>Outdated advice</h2>
<p>In addition to lacking guidance, it’s common to find websites enforcing outdated password requirements. You’re probably familiar with systems insisting on password complexity, by requiring upper case letters, numbers or special characters to make passwords stronger (our response to which often mirrors the video below). </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/aHaBH4LqGsI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>However, <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">the current guidance</a> is to allow complexity but not to require it, and to basically regard password strength as synonymous with password length. </p>
<p>The <a href="https://www.ncsc.gov.uk/">National Cyber Security Centre</a> recommends creating a long password by combining three random words, enabling something longer and more memorable than many standard choices.</p>
<h2>My password attempts</h2>
<p>Also unhelpful is that, rather than giving guidance and requirements at the outset, many sites only reveal rules in response to us trying things that aren’t allowed. I tried creating a password for one such site. Most of my attempts received feedback requiring further action, until I settled on a final choice, which was accepted without complaint. But the password that was accepted, steve!, was short and rather predictable. </p>
<figure class="align-center ">
<img alt="A screenshot of four attempts to create a password." src="https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=312&fit=crop&dpr=1 600w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=312&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=312&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=392&fit=crop&dpr=1 754w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=392&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=392&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Wrestling with rules.</span>
<span class="attribution"><span class="source">Steven Furnell</span>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>When I played around a bit more, various other weak choices were accepted. For example 1234a!, abcde1 and qwert! all satisfied the rules, as did Furnell1 – which isn’t particularly strong, especially as I already entered Furnell as my last name elsewhere on the sign-up form. </p>
<p>Meanwhile, the rules often mean we can’t use passwords our devices auto-generate for us, or ones we might create for ourselves by following current guidance.</p>
<figure class="align-center ">
<img alt="Screenshot of an attempt to use a generated password." src="https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=257&fit=crop&dpr=1 600w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=257&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=257&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=324&fit=crop&dpr=1 754w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=324&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=324&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Many websites don’t allow generated passwords.</span>
<span class="attribution"><span class="source">Steven Furnell</span></span>
</figcaption>
</figure>
<p>Some sites seem to think they can compensate for a lack of guidance by using techniques such as password meters to rate our choices. However, while these give feedback, they’re not a substitute for providing guidance on what good looks like. </p>
<p>Using another site, I entered a poor password (the word password), and the only feedback I received was that the password is very weak. If a user was genuinely offering this password as an attempt, what they need to be told is why it’s weak. While you can doubtless find some sites giving better and more informative feedback, this example is unfortunately representative of many others.</p>
<h2>Rules to follow</h2>
<p>Of course, having highlighted the lack of effective guidance, it would be remiss to end without actually offering some. <a href="https://www.ncsc.gov.uk/cyberaware/home">The NCSC’s guidance</a> about choosing and using passwords are listed and briefly explained below:</p>
<ol>
<li>Use a strong and separate password for your email – as this is often your route to accessing other accounts.</li>
<li>Create strong passwords using three random words – this will give you stronger and more memorable passwords.</li>
<li>Save your passwords in your browser – this prevents you forgetting or losing them.</li>
<li>Turn on two-factor authentication – this adds an extra element of protection even if your password is compromised.</li>
</ol>
<p>It’s useful to supplement this with additional reminders not to <a href="https://theconversation.com/four-steps-to-a-simpler-safer-password-system-27471">use the same password</a> across multiple accounts for fear that a breach of one leads to breach of all, not to share them with other people because then it’s no longer your password, and not to keep a discoverable record of them. Storing them in a protected location, such as a password manager tool, is fine. </p>
<p>It’s worrying to think that passwords have been around for decades and we’re still getting it wrong. And they’re just one aspect of cybersecurity that we need to be using properly. This doesn’t bode well for cybersecurity more widely.</p><img src="https://counter.theconversation.com/content/159164/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Steven Furnell does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Passwords have been around for decades and we’re still getting it wrong.Steven Furnell, Professor of Cyber Security, University of NottinghamLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1444182020-09-15T05:01:14Z2020-09-15T05:01:14ZA computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?<figure><img src="https://images.theconversation.com/files/358044/original/file-20200915-18-15h9xys.png?ixlib=rb-1.1.0&rect=125%2C89%2C3868%2C2155&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Paul Haskell-Dowland</span>, <span class="license">Author provided</span></span></figcaption></figure><p>Passwords have been used for thousands of years as a means of identifying ourselves to others and in more recent times, to computers. It’s a simple concept – a shared piece of information, kept secret between individuals and used to “prove” identity. </p>
<p>Passwords in an IT context <a href="https://www.wired.com/2012/01/computer-password/">emerged in the 1960s</a> with <a href="https://www.techopedia.com/definition/24356/mainframe">mainframe</a> computers – large centrally operated computers with remote “terminals” for user access. They’re now used for everything from the PIN we enter at an ATM, to logging in to our computers and various websites.</p>
<p>But why do we need to “prove” our identity to the systems we access? And why are passwords so hard to get right?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-long-history-and-short-future-of-the-password-76690">The long history, and short future, of the password</a>
</strong>
</em>
</p>
<hr>
<h2>What makes a good password?</h2>
<p>Until relatively recently, a good password might have been a word or phrase of as little as six to eight characters. But we now have minimum length guidelines. This is because of “entropy”.</p>
<p>When talking about passwords, entropy is the <a href="https://www.itdojo.com/a-somewhat-brief-explanation-of-password-entropy/">measure of predictability</a>. The maths behind this isn’t complex, but let’s examine it with an even simpler measure: the number of possible passwords, sometimes referred to as the “password space”. </p>
<p>If a one-character password only contains one lowercase letter, there are only 26 possible passwords (“a” to “z”). By including uppercase letters, we increase our password space to 52 potential passwords. </p>
<p>The password space continues to expand as the length is increased and other character types are added.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=133&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=133&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=133&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=167&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=167&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=167&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Making a password longer or more complex greatly increases the potential ‘password space’. More password space means a more secure password.</span>
</figcaption>
</figure>
<p>Looking at the above figures, it’s easy to understand why we’re encouraged to use long passwords with upper and lowercase letters, numbers and symbols. The more complex the password, the more attempts needed to guess it.</p>
<p>However, the problem with depending on password complexity is that computers are highly efficient at repeating tasks – including guessing passwords. </p>
<p>Last year, a <a href="https://www.cbronline.com/news/stolen-user-credentials">record was set</a> for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.</p>
<p>By leveraging this computing power, cyber criminals can hack into systems by bombarding them with as many password combinations as possible, in a process called <a href="https://www.kaspersky.com/resource-center/definitions/brute-force-attack">brute force attacks</a>.</p>
<p>And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as US$25.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1096071488262815744"}"></div></p>
<p>Also, because passwords are almost always used to give access to sensitive data or important systems, this motivates cyber criminals to actively seek them out. It also drives a lucrative online market selling passwords, some of which come with email addresses and/or usernames.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=343&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=343&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=343&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=431&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=431&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=431&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">You can purchase almost 600 million passwords online for just AU$14!</span>
</figcaption>
</figure>
<h2>How are passwords stored on websites?</h2>
<p>Website passwords are usually stored in a protected manner using a mathematical algorithm called <a href="https://www.wired.com/2016/06/hacker-lexicon-password-hashing/">hashing</a>. A hashed password is unrecognisable and can’t be turned back into the password (an irreversible process). </p>
<p>When you try to login, the password you enter is hashed using the same process and compared to the version stored on the site. This process is repeated each time you login.</p>
<p>For example, the password “Pa$$w0rd” is given the value “02726d40f378e716981c4321d60ba3a325ed6a4c” when calculated using the SHA1 hashing algorithm. Try it <a href="https://passwordsgenerator.net/sha1-hash-generator/">yourself</a>. </p>
<p>When faced with a file full of hashed passwords, a brute force attack can be used, trying every combination of characters for a range of password lengths. This has become such common practice that there are websites that list common passwords alongside their (calculated) hashed value. You can simply search for the hash to reveal the corresponding password.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=226&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=226&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=226&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=285&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=285&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=285&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">This screenshot of a Google search result for the SHA hashed password value ‘02726d40f378e716981c4321d60ba3a325ed6a4c’ reveals the original password: ‘Pa$$w0rd’.</span>
</figcaption>
</figure>
<p>The theft and selling of passwords lists is now so common, a <a href="https://haveibeenpwned.com/">dedicated website</a> — haveibeenpwned.com — is available to help users check if their accounts are “in the wild”. This has grown to include more than 10 billion account details.</p>
<p>If your email address is listed on this site you should definitely change the detected password, as well as on any other sites for which you use the same credentials.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/will-the-hack-of-500-million-yahoo-accounts-get-everyone-to-protect-their-passwords-65987">Will the hack of 500 million Yahoo accounts get everyone to protect their passwords?</a>
</strong>
</em>
</p>
<hr>
<h2>Is more complexity the solution?</h2>
<p>You would think with so many password breaches occurring daily, we would have improved our password selection practices. Unfortunately, last year’s annual <a href="https://www.securitymagazine.com/articles/91461-the-worst-passwords-of-2019">SplashData password survey</a> has shown little change over five years.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=247&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=247&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=247&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=310&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=310&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=310&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The 2019 annual SplashData password survey revealed the most common passwords from 2015 to 2019.</span>
</figcaption>
</figure>
<p>As computing capabilities increase, the solution would appear to be increased complexity. But as humans, we are not skilled at (nor motivated to) remember highly complex passwords. </p>
<p>We’ve also passed the point where we use only two or three systems needing a password. It’s now common to access numerous sites, with each requiring a password (often of varying length and complexity). A recent survey suggests there are, on average, <a href="https://www.newswire.com/news/new-research-most-people-have-70-80-passwords-21103705">70-80 passwords per person</a>.</p>
<p>The good news is there are tools to address these issues. Most computers now support password storage in either the operating system or the web browser, usually with the option to share stored information across multiple devices. </p>
<p>Examples include Apple’s <a href="https://www.computerworld.com/article/3254183/how-to-use-icloud-keychain-the-guide.html">iCloud Keychain</a> and the ability to save passwords in Internet Explorer, Chrome and Firefox (although <a href="https://www.howtogeek.com/447345/why-you-shouldnt-use-your-web-browsers-password-manager/">less reliable</a>).</p>
<p><a href="https://tech.co/password-managers/what-is-a-password-manager">Password managers</a> such as KeePassXC can help users generate long, complex passwords and store them in a secure location for when they’re needed. </p>
<p>While this location still needs to be protected (usually with a long “master password”), using a password manager lets you have a unique, complex password for every website you visit.</p>
<p>This won’t prevent a password from being stolen from a vulnerable website. But if it is stolen, you won’t have to worry about changing the same password on all your other sites. </p>
<p>There are of course vulnerabilities in these solutions too, but perhaps that’s a story for another day.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebook-hack-reveals-the-perils-of-using-a-single-account-to-log-in-to-other-services-104227">Facebook hack reveals the perils of using a single account to log in to other services</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/144418/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>One website dedicated to tracking stolen passwords suggests there are details of currently more than 10 billion compromised accounts available online.Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityBrianna O'Shea, Lecturer, Ethical Hacking and Defense, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1446822020-09-03T20:01:33Z2020-09-03T20:01:33ZCan I still be hacked with 2FA enabled?<figure><img src="https://images.theconversation.com/files/356028/original/file-20200902-20-1ogicca.jpg?ixlib=rb-1.1.0&rect=119%2C29%2C4872%2C3712&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Cybersecurity is like a game of whack-a-mole. As soon as the good guys put a stop to one type of attack, another pops up. </p>
<p>Usernames and passwords were once good enough to keep an account secure. But before long, cybercriminals figured out how to get around this. </p>
<p>Often they’ll use “<a href="https://www.kaspersky.com/resource-center/definitions/brute-force-attacks">brute force attacks</a>”, bombarding a user’s account with various password and login combinations in a bid to guess the correct one.</p>
<p>To deal with such attacks, a second layer of security was added in an approach known as two-factor authentication, or 2FA. It’s widespread now, but does 2FA also leave room for loopholes cybercriminals can exploit?</p>
<iframe src="https://giphy.com/embed/IgLIVXrBcID9cExa6r" width="100%" height="480" frameborder="0" class="giphy-embed" allowfullscreen=""></iframe>
<h2>2FA via text message</h2>
<p>There are various types of 2FA. The most common method is to be sent a single-use code as an SMS message to your phone, which you then enter following a prompt from the website or service you’re trying to access. </p>
<p>Most of us are familiar with this method as it’s favoured by major social media platforms. However, while it may seem safe enough, it isn’t necessarily. </p>
<p>Hackers have been known to <a href="https://www.youtube.com/watch?v=kHI90LbBwaQ">trick</a> mobile phone carriers (such as Telstra or Optus) into transferring a victim’s phone number to their own phone.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/2-5-billion-lost-over-a-decade-nigerian-princes-lose-their-sheen-but-scams-are-on-the-rise-141289">$2.5 billion lost over a decade: 'Nigerian princes' lose their sheen, but scams are on the rise</a>
</strong>
</em>
</p>
<hr>
<p>Pretending to be the intended victim, the hacker contacts the carrier with a story about losing their phone, requesting a new SIM with the victim’s number to be sent to them. Any authentication code sent to that number then goes directly to the hacker, granting them access to the victim’s accounts.<br>
This method is called <a href="https://securelist.com/large-scale-sim-swap-fraud/90353/">SIM swapping</a>. It’s probably the easiest of <a href="https://www.forbes.com/sites/forbestechcouncil/2020/08/21/how-threat-actors-are-bypassing-two-factor-authentication-for-privileged-access/#50278f2b649e">several types</a> of scams that can circumvent 2FA.</p>
<p>And while carriers’ verification processes for SIM requests are improving, a competent trickster can talk their way around them. </p>
<h2>Authenticator apps</h2>
<p>The authenticator method is more secure than 2FA via text message. It works on a principle known as TOTP, or “time-based one-time password”. </p>
<p>TOTP is more secure than SMS because a code is generated on your device rather than being sent across the network, where it might be intercepted. </p>
<p>The authenticator method uses apps such as Google Authenticator, LastPass, 1Password, Microsoft Authenticator, Authy and Yubico.</p>
<p>However, while it’s safer than 2FA via SMS, there have been <a href="https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/">reports</a> of hackers stealing authentication codes from Android smartphones. They do this by tricking the user into installing <a href="https://au.pcmag.com/security/65791/android-malware-can-steal-2fa-codes-from-google-authenticator-app#:%7E:text=To%20steal%20the%20Google%20Authenticator,be%20advertised%20by%20Cerberus's%20creators.">malware</a> (software designed to cause harm) that copies and sends the codes to the hacker. </p>
<p>The Android operating system is easier to hack than the iPhone iOS. Apple’s iOS is proprietary, while Android is open-source, making it easier to install malware on.</p>
<h2>2FA using details unique to you</h2>
<p>Biometric methods are another form of 2FA. These include fingerprint login, face recognition, retinal or iris scans, and voice recognition. Biometric identification is becoming popular for its ease of use. </p>
<p>Most smartphones today can be unlocked by placing a finger on the scanner or letting the camera scan your face – much quicker than entering a password or passcode. </p>
<p>However, biometric data can be hacked, too, either from the servers where they are stored or from the software that processes the data. </p>
<p>One case in point is last year’s <a href="https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data">Biostar 2 data breach</a> in which nearly 28 million biometric records were hacked. BioStar 2 is a security system that uses facial recognition and fingerprinting technology to help organisations secure access to buildings.</p>
<p>There can also be false negatives and false positives in biometric recognition. Dirt on the fingerprint reader or on the person’s finger can lead to false negatives. Also, faces can sometimes be similar enough to <a href="https://www.wired.co.uk/article/avoid-facial-recognition-software">fool facial recognition systems</a>.</p>
<iframe src="https://giphy.com/embed/jnEQ1YoSLy9gSic7Qv" width="100%" height="480" frameborder="1" class="giphy-embed" allowfullscreen=""></iframe>
<p><a href=""></a></p>
<p>Another type of 2FA comes in the form of personal security questions such as “what city did your parents meet in?” or “what was your first pet’s name?”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-be-phish-food-tips-to-avoid-sharing-your-personal-information-online-138613">Don't be phish food! Tips to avoid sharing your personal information online</a>
</strong>
</em>
</p>
<hr>
<p>Only the most determined and resourceful hacker will be able to find answers to these questions. It’s unlikely, but still possible, especially as more of us adopt public online profiles.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Person looks at a social media post from a woman, on their mobile." src="https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Often when we share our lives on the internet, we fail to consider what kinds of people may be watching.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>2FA remains best practice</h2>
<p>Despite all of the above, the biggest vulnerability to being hacked is still the human factor. Successful hackers have a bewildering array of psychological tricks in their arsenal.</p>
<p>A cyber attack could come as a polite request, a scary warning, a message ostensibly from a friend or colleague, or an intriguing “clickbait” link in an email.</p>
<p>The best way to protect yourself from hackers is to develop a healthy amount of scepticism. If you carefully check websites and links before clicking through and also use 2FA, the chances of being hacked become vanishingly small. </p>
<p>The bottom line is that 2FA is effective at keeping your accounts safe. However, try to avoid the less secure SMS method when given the option. </p>
<p>Just as burglars in the real world focus on houses with poor security, hackers on the internet look for weaknesses. </p>
<p>And while any security measure can be overcome with enough effort, a hacker won’t make that investment unless they stand to gain something of greater value.</p><img src="https://counter.theconversation.com/content/144682/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Two-factor authentication is certainly an added layer of security as we traverse the online world. But it comes in various forms, and they’re not all equally protective.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1357992020-04-10T12:17:15Z2020-04-10T12:17:15ZVideoconferencing keeps people connected while the coronavirus keeps them inside – but privacy and security are far from perfect<figure><img src="https://images.theconversation.com/files/326675/original/file-20200408-150164-wo6t5f.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3000%2C1998&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Face to face, virtually.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/asian-woman-working-with-laptop-on-the-bed-royalty-free-image/1204226034?adppopup=true">SammyVision/Moment via Getty Images</a></span></figcaption></figure><p>If, before COVID-19, you were concerned about all the <a href="https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy">data that technology companies had about you</a>, just wait. As stay-at-home orders push more professional and social activities online, it’s becoming harder to remain in control.</p>
<p>Look no further than Zoom, which suffered <a href="https://www.vox.com/recode/2020/3/31/21201019/zoom-coronavirus-privacy-hacks">dual security and privacy crises</a> in the past few weeks. Lawsuits alleging data sharing violations and hackers have descended on the software, which has led <a href="https://www.cnet.com/news/zoom-every-security-issue-uncovered-in-the-video-chat-app/">Google and school districts to ban Zoom</a> for professional use.</p>
<p>I’m a researcher who investigates <a href="https://doi.org/10.1177%2F1461444818801317">how these concerns affect the use of online platforms</a>. The first thing to understand is that privacy and security are two different things, and they have different consequences for using videoconferencing platforms.</p>
<h2>Privacy versus security</h2>
<p>Privacy refers to individuals’ <a href="https://www.un.org/en/universal-declaration-human-rights/">universal rights</a> to control their data. Security is how that data is protected. One or both can be compromised when using popular videoconferencing tools, leaving personal information vulnerable.</p>
<p>For example, say someone signs up for a new videoconferencing platform using full name, email address and phone number. Ideally, the platform company would maintain both privacy and security, meaning the company wouldn’t share that person’s information outside the company, and would keep their system protected from hackers and viruses. The most private platforms, like <a href="https://signal.org/">Signal</a> and <a href="https://apps.apple.com/us/app/facetime/id1110145091">FaceTime</a>, use end-to-end encryption to ensure that even the companies themselves do not have access to the contents of anyone’s communication. When such systems are kept secure, they are the best communication tools to use.</p>
<p>Alternatively, a company could compromise privacy but maintain security, meaning it would collect information about video calls and sell that data to a third party for marketing purposes. Many companies will include such conditions in their terms of service, <a href="https://doi.org/10.1080/1369118X.2018.1486870">which users rarely read</a>. However, companies have incentive to maintain security; they don’t want to be overrun with criminals or pranksters, which could damage their reputations. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=429&fit=crop&dpr=1 600w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=429&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=429&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=539&fit=crop&dpr=1 754w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=539&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=539&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Videoconferencing software mapped in terms of security and privacy protections.</span>
<span class="attribution"><span class="source">Elizabeth Stoycheff</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>Worst case is when a company surrenders both privacy and security, meaning they share personal information with third parties, and they <a href="https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/">fail to prevent data breaches</a>. Offerings from these companies are the riskiest of all digital tools, and unfortunately, they’re all too common.</p>
<p>Here’s how some of the most popular video conferencing services stack up.</p>
<h2>Videoconferencing options</h2>
<p>Zoom’s most updated <a href="https://zoom.us/privacy">privacy policy</a> states that the company “do[es] not allow third parties to use any personal data obtained from users for their own purposes, unless you consent.” However, Zoom is currently facing a lawsuit alleging that it violated this agreement and <a href="https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/">shared user data with Facebook</a>. The company claims that this was a security, not a privacy, breach and that it was not compensated for data sharing. </p>
<p>Zoom has also come under fire for security flaws that have allowed “<a href="https://www.cbsnews.com/news/zoom-video-conferencing-feature-freeze-security-flaws/">Zoom-bombers</a>” to intrude on personal calls, often using profane or obnoxious content. The company admitted that it has <a href="https://www.cbsnews.com/news/zoom-video-conferencing-feature-freeze-security-flaws/">fallen short on protecting users’ privacy and security</a> and is working to fix the problems.</p>
<p>Microsoft Teams’ <a href="https://privacy.microsoft.com/en-us/privacystatement">privacy policy</a> leaves no questions. It explicitly states that it “collects data from you, through our interactions with you and through our products.” It is upfront about using this information to market to users, personalize their experiences and even participate in legal investigations. In other words, make no presumptions of privacy here – all personal data on the platform is fair game.</p>
<p>To differentiate its security from Zoom, Microsoft’s Teams has implemented <a href="https://docs.microsoft.com/en-us/microsoftteams/sign-in-teams">dual-factor authentication</a>, meaning passwords are not enough. Users need to also enter email or text codes to log in. The Microsoft family of software – though not Teams specifically – confronted a number of security problems this year, including a <a href="https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/#6b52e7eb4d1b">breach of its customer service center</a> that exposed 14 years of information. The jury is still out on whether it’s a more secure alternative to Zoom. </p>
<p>Unlike Zoom and Teams, Webex offers hosts the option of <a href="https://help.webex.com/en-us/WBX44739/What-Does-End-to-End-Encryption-Do">end-to-end encryption</a>, meaning only the sender of a message and its recipient have access to the data within. This is a strong privacy feature, but it’s elective and tends to limit the usefulness of the tool. </p>
<p>Webex is not immune to security breaches, but the difference between this company and their competitors is their transparency and quick patches. The platform actively maintains a <a href="https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&keyword=webex&sort=-day_sir#%7EVulnerabilities">public list of vulnerabilities</a>, which documents how the company has resolved them. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Zoom’s virtual waiting room, which prevents participants from joining a meeting without the host’s permission, is now on by default.</span>
<span class="attribution"><a class="source" href="https://flickr.com/photos/pswansen/3063800085/in/photolist-5EJM2p-JPi3FZ-7t2yqf-8ZXGeW-2g3JYxh-eiVy7g-e4aj2K-myiYTZ-CmrmN-LavrPD-4SeE5A-9Fa1B7-CGE2MP-2hik4n2-28xqcvB-27ay7yw-zZVya-59uCCp-KUGD7U-5SS6g4-2biAdP8-ssKBF-25gDuEE-gqR2w-yJvxX-jP4Bw-8GtNWR-8ET3eb-8ESVQE-53xshM-7yuQFL-n79k9-8ET6e1-MaG4Q-GUP3p-GPp44-tLRgh-24GP516-EsqKvb-ps2H3X-Nfx8dX-nLDitH-b4PyCK-bgHNJT-dFrFn5-noXW3G-MBipMs-FfZEbr-4Y5poN-2gP6pLo">Paul Swansen/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>Skype has a privacy problem. It <a href="https://www.comparitech.com/blog/information-security/is-skype-safe-and-secure-what-are-the-alternatives/">shares user data</a> with third parties, across the entire Microsoft family, and even with law enforcement when asked. In a benign effort to improve customer service, it <a href="https://www.theguardian.com/technology/2020/jan/10/skype-audio-graded-by-workers-in-china-with-no-security-measures">allowed employees to access recordings of Skype conversations</a> from their personal computers over a period of several years. Such tasks have since been transferred to a secure facility, but it doesn’t change the fact that if you’ve used Skype lately, your privacy has been compromised. </p>
<p>Like Teams, Skype uses dual-factor authentication but it was also likely compromised in the <a href="https://docs.microsoft.com/en-us/microsoftteams/sign-in-teams">massive Microsoft customer service breach</a> earlier this year. </p>
<p>Long before Facebook acquired WhatsApp, the video chat service provided <a href="https://faq.whatsapp.com/en/android/28030015/">end-to-end encryption</a> on calls and messages. The privacy of chats here are, and always have been, protected. </p>
<p>However, WhatsApp suffered a very public security breach when Jeff Bezos’ personal messages were compromised by spyware and leaked. That was one of <a href="https://www.businessinsider.com/jeff-bezos-hack-whatsapp-disclosed-security-flaws-last-year-ft-2020-1">12 vulnerabilities</a> the platform faced last year. </p>
<p>Apple’s FaceTime also boasts <a href="https://www.apple.com/privacy/features/">end-to-end protections</a>, and the company has upheld its commitment to privacy by <a href="https://www.npr.org/sections/thetwo-way/2016/02/25/468158520/why-apple-says-it-wont-help-unlock-that-iphone-in-5-key-quotes">refusing requests from the FBI</a> to access user devices. It’s positioning itself as a steward of user privacy.</p>
<p>Like other services, FaceTime has been susceptible to occasional security hacks. In early 2019, users reported a <a href="https://www.npr.org/2019/01/29/689581417/apple-disables-group-facetime-after-security-flaw-let-callers-secretly-eavesdrop">security glitch in its group calls</a> where recipients could hear and see callers before answering. The feature was disabled and patched, and the service has been without a major incident since. </p>
<h2>Settings and choices</h2>
<p>Across all these platforms, people should use complex passwords, turn on enhanced security features, like the use of <a href="https://support.zoom.us/hc/en-us/articles/115000332726-Waiting-Room">waiting rooms</a> and <a href="https://docs.microsoft.com/en-us/microsoftteams/manage-channel-moderation-in-teams">channel moderation</a>, and make sure conferences are restricted to intended guests. It’s also important to consider what can be seen on camera, like a loan statement pinned to a bulletin board or an envelope with a home address visible. Try videoconferencing in front of a neutral wall or using <a href="https://support.skype.com/en/faq/FA34896/what-is-background-blur-in-skype">blurred</a> or <a href="https://office365itpros.com/2020/04/06/teams-meeting-background-image/">customized</a> backdrops to keep the home environment off camera. </p>
<p>There’s still room in the market for more reliably secure, private videoconferencing systems. But in the meantime, not all communication requires the same levels of privacy and security. People might not care much if marketers or even pranksters crash their G-rated happy hours. But confidential client meetings and remote health care consultations are another matter. The companies’ offerings and track records, outlined here, should help people choose the videoconferencing tool that best balances usefulness with privacy and security.</p>
<p>[<em>Get facts about coronavirus and the latest research.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=upper-coronavirus-facts">Sign up for The Conversation’s newsletter.</a>]</p><img src="https://counter.theconversation.com/content/135799/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elizabeth Stoycheff has received grant funding from WhatsApp, but it has not influenced the information in this article.</span></em></p>Zoom’s privacy and security shortcomings are just the latest videoconferencing vulnerabilities. Knowing each platform’s risks can help people avoid many of the downsides of virtual gatherings.Elizabeth Stoycheff, Associate Professor of Communication, Wayne State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1274422019-12-04T04:25:45Z2019-12-04T04:25:45ZFingerprint login should be a secure defence for our data, but most of us don’t use it properly<figure><img src="https://images.theconversation.com/files/305096/original/file-20191204-70101-q97e32.jpg?ixlib=rb-1.1.0&rect=79%2C12%2C4010%2C2139&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Even though passcode options include swipe patterns and long passwords, many users still use easy 4-digit PINs. This is because people are often lulled into a false sense of security when they use fingerprint login.</span> <span class="attribution"><span class="source">SHUTTERSTOCK</span></span></figcaption></figure><p>Our electronic devices store a plethora of sensitive information. To protect this information, device operating systems such as <a href="https://www.apple.com/au/ios/ios-13/">Apple’s iOS</a> and <a href="https://www.android.com/phones-tablets/">Android</a> have locking mechanisms. These require user authentication before access is granted. </p>
<p>One of the most common mechanisms is fingerprint login, a form of biometric technology first introduced by Apple in 2013 as Touch ID. </p>
<p>Touch ID was introduced <a href="https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf">with the intuition that</a>, if there was an easier and quicker way to log in, users would be encouraged to keep stronger passcodes and passwords without sacrificing ease of access. It was supposed to enhance both the usability and security of the device.</p>
<p>However, in application this hasn’t been the case. And most users remain unaware of this initial purpose.</p>
<h2>Easy targets</h2>
<p>When first unlocking an iPhone after starting it, <a href="https://support.apple.com/en-gb/HT204060">users are asked</a> to enter a strong six-digit passcode, instead of a simpler four-digit PIN. After that, Touch ID can be used to unlock the phone, to avoid having to re-enter the password multiple times. </p>
<p>The catch is, users can choose to ignore the direction and opt for an easy four-digit PIN, and they usually do. </p>
<p><a href="https://www.usenix.org/conference/soups2015/proceedings/presentation/cherapau">Researchers</a> found that among Touch ID users, the majority still used weak login codes, mainly four-digit PINs (which are easy to guess). This was also true among people who didn’t use Touch ID. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/fingerprinting-to-solve-crimes-not-as-robust-as-you-think-85534">Fingerprinting to solve crimes: not as robust as you think</a>
</strong>
</em>
</p>
<hr>
<p>They also found more than 30% of participants weren’t aware they could use passwords with letters (which are stronger) instead of four-digit PINs.</p>
<p>Some participants indicated they used PINs for quicker access, compared to passwords. And most agreed that Touch ID offered usability benefits including convenience, speed and ease of use.</p>
<p>Interestingly, there was also a disconnect between how secure users thought their passcodes were, and how secure they actually were. </p>
<p>In fact, only 12% of participants correctly estimated their passcode’s strength </p>
<h2>Knowledge is key</h2>
<p>It’s important to understand how fingerprint login and other biometric systems work, before we use them. </p>
<p>A biometric is a unique biological characteristic which can be used to identify and verify a person’s identity. Apart from fingerprints, we see this in facial recognition scans, DNA tests, and less commonly in palm prints, and iris and retina recognition.</p>
<p>Biometrics are marketed as being a very secure solution, because the way biometric data is stored is different to the ways PINs and passwords are stored. </p>
<p>While passwords are stored on <a href="https://home.bt.com/tech-gadgets/computing/cloud-computing/eight-things-you-need-to-know-about-the-cloud-11363891172534">the cloud</a>, data from your fingerprint is stored solely on your device. Servers and apps never have access to your fingerprint data, nor is it saved on the cloud.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/iphone-5s-fingerprint-scanning-thumbs-up-or-down-18112">iPhone 5S fingerprint scanning: thumbs up or down?</a>
</strong>
</em>
</p>
<hr>
<p>However, although it’s incredibly hard for cybercriminals to get access to your actual fingerprint data – since it’s encrypted and stored on the device itself – biometric systems are still not completely secure.</p>
<p>For instance, Apple’s fingerprint technology was compromised <a href="https://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked">just two days after the launch of Touch ID</a> (integrated into the iPhone 5S) in 2013. And since then, many people have managed to bypass Touch ID security by <a href="https://www.theverge.com/2016/5/2/11540962/iphone-samsung-fingerprint-duplicate-hack-security">using dental mold or play-dough</a>.</p>
<p>Similarly, it was shown that even the 2017 iPhone X’s <a href="https://support.apple.com/en-au/HT208109">Face ID</a> feature <a href="https://www.wired.com/story/hackers-say-broke-face-id-security/">could be compromised</a>.</p>
<p>Users who use Touch ID with a four-digit PIN backup are also at risk. They’re susceptible to “shoulder surfing” attacks, where attackers simply look over a victim’s shoulder to see them input their PIN.</p>
<p>Other types of attacks include password guessing and even thermal fingerprint scanning, which involves using a thermal device to figure out which areas on a screen were most recently pressed, thereby potentially revealing a passcode combination. </p>
<h2>A permanent mark</h2>
<p>The elephant in the room is that once biometric data such as a fingerprint is stolen, it’s stolen forever. Unlike a password, it can’t be changed.</p>
<p>Stolen biometric data can be used to identify users without their knowledge, especially if users are unaware of how their data is stored and collected. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/fingerprint-and-face-scanners-arent-as-secure-as-we-think-they-are-112414">Fingerprint and face scanners aren’t as secure as we think they are</a>
</strong>
</em>
</p>
<hr>
<p>That said, cybercriminals generally prefer to break into people’s devices through mind games, by luring victims into clicking on links or downloading attachments which eventually disclose their login credentials. </p>
<p>In public, a criminal might ask to borrow your phone for a call. In such situations, it’s often easy for them to steal your PIN simply through observation, rather than having to actually break into your device. </p>
<p>Touch ID technology was designed to enhance security and usability, and it would have, if people hailed its initial purpose and kept stronger passcodes. </p>
<p>But they don’t, because often they don’t understand the basis of the technology.
With biometric technology, users experience a false sense of security. They remain unaware of the many ways in which their information could still be stolen.</p>
<p>This is why users should educate themselves on how the technologies they use function, and the purpose for which they were designed. Failing that, they risk leaving the back door wide open for cybercriminals.</p><img src="https://counter.theconversation.com/content/127442/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nalin Asanka Gamagedara Arachchilage works as Senior Research Fellow at La Trobe University.</span></em></p>While the data from a fingerprint is very hard to retrieve, cybercriminals can get around biometric technology in various ways. And having a weak passcode is like giving them a hall pass.Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security at La Trobe University, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1231142019-10-25T12:31:52Z2019-10-25T12:31:52Z5 milestones that created the internet, 50 years after the first network message<figure><img src="https://images.theconversation.com/files/297531/original/file-20191017-98648-31lbw.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3872%2C2590&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">This SDS Sigma 7 computer sent the first message over the predecessor of the internet in 1969.</span> <span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:The_SDS_Sigma-7_The_First_Computer_to_be_Connected_to_the_Internet_(6294434636).jpg">Andrew 'FastLizard4' Adams/Wikimedia Commons</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Fifty years ago, a UCLA computer science professor and his student sent the <a href="https://www.tweaktown.com/news/54662/first-internet-message-sent/index.html">first message</a> over the predecessor to the internet, a network called <a href="https://www.darpa.mil/about-us/timeline/arpanet">ARPANET</a>.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=335&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=335&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=335&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=420&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=420&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297423/original/file-20191016-98674-24xxy4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=420&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The log page showing the connection from UCLA to Stanford Research Institute on Oct. 29, 1969.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:First-arpanet-imp-log.jpg">Charles S. Kline/UCLA Kleinrock Center for Internet Studies/Wikimedia Commons</a></span>
</figcaption>
</figure>
<p>On Oct. 29, 1969, Leonard Kleinrock and Charley Kline sent Stanford University researcher Bill Duval a two-letter message: “lo.” The intended message, the full word “login,” was <a href="https://www.tweaktown.com/news/54662/first-internet-message-sent/index.html">truncated by a computer crash</a>.</p>
<p>Much more traffic than that travels through the internet these days, with <a href="https://www.internetlivestats.com/">billions</a> of emails sent and searches conducted daily. As a scholar of <a href="https://doi.org/10.1017/CBO9781139021838">how the internet is governed</a>, I know that <a href="https://mitpress.mit.edu/books/ruling-root">today’s vast communications web</a> is a result of <a href="https://heinonline.org/HOL/Page?handle=hein.journals/geojaf16&div=70&g_sent=1&casa_token=&collection=journals">governments and regulators making choices</a> that <a href="https://wwnorton.com/books/9781631493072">collectively built the internet</a> as it is today. </p>
<p>Here are five key moments in this journey.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/vuiBTJZfeo8?wmode=transparent&start=390" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Leonard Kleinrock shows the original document logging the very first ARPANET computer communication.</span></figcaption>
</figure>
<h2>1978: Encryption failure</h2>
<p>Early internet pioneers, in some ways, were remarkably farsighted. In 1973, a group of <a href="https://www.washingtonpost.com/graphics/national/security-of-the-internet/history/">high school students</a> reportedly gained access to ARPANET, which was supposed to be a closed network managed by the Pentagon. </p>
<p>Computer scientists <a href="https://ai.google/research/people/author32412">Vinton Cerf</a> and <a href="https://www.britannica.com/biography/Robert-Elliot-Kahn">Robert Kahn</a> suggested building encryption into the internet’s core protocols, which would have made it far more difficult for hackers to compromise the system.</p>
<p>But the U.S. intelligence community objected, though officials didn’t publicly say why. The only reason their intervention is public is because <a href="https://doi.org/10.1016/0376-5075(83)90042-9">Cerf hinted at it in a 1983 paper</a> he co-authored.</p>
<p>As a result, basically all of today’s internet users have to handle <a href="https://theconversation.com/using-truly-secure-passwords-6-essential-reads-84092">complex passwords</a> and <a href="https://theconversation.com/the-age-of-hacking-brings-a-return-to-the-physical-key-73094">multi-factor authentication systems</a> to ensure secure communications. People with more advanced security needs often use <a href="https://theconversation.com/is-your-vpn-secure-109130">virtual private networks</a> or specialized privacy software like <a href="https://theconversation.com/tor-upgrades-to-make-anonymous-publishing-safer-73641">Tor</a> to encrypt their <a href="https://doi.org/10.1016/B978-192899416-9/50021-7">online activity</a>. </p>
<p>However, computers may not have had enough processing power to effectively encrypt internet communications. That could have slowed the network, making it less attractive to users – delaying, or even preventing, wider use by researchers and the public.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=382&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=382&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=382&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=480&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=480&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297427/original/file-20191016-98661-lq37nx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=480&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Vinton Cerf and Robert Kahn with President George W. Bush at the ceremony where Cerf and Kahn were given the Presidential Medal of Freedom for their contributions to developing the internet.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:CerfKahnMedalOfFreedom.jpg">Paul Morse/White House/Wikimedia Commons</a></span>
</figcaption>
</figure>
<h2>1983: ‘The internet’ is born</h2>
<p>For the internet to really be a global entity, all kinds of different computers needed to speak the same language to be able to communicate with each other – directly, if possible, rather than slowing things down by using translators. </p>
<p>Hundreds of scientists from various governments collaborated to devise what they called the <a href="https://www.networkworld.com/article/3239677/the-osi-model-explained-how-to-understand-and-remember-the-7-layer-network-model.html">Open Systems Interconnection</a> <a href="https://en.wikipedia.org/wiki/OSI_protocols">standard</a>. It was a complex method that <a href="https://www.pearson.com/us/higher-education/product/Tanenbaum-Computer-Networks-4th-Edition/9780130661029.html">critics considered inefficient and difficult to scale</a> across existing networks.</p>
<p>Cerf and Kahn, however, proposed another way, called <a href="https://www.britannica.com/technology/TCP-IP">Transmission Control Protocol/Internet Protocol</a>. TCP/IP worked more like the regular mail – wrapping up messages in packages and putting the address on the outside. All the computers on the network had to do was pass the message to its destination, where the receiving computer would figure out what to do with the information. It was free for anyone to copy and use on their own computers. </p>
<p>TCP/IP – given that it both worked and was free – enabled the <a href="https://www.simonandschuster.com/books/Where-Wizards-Stay-Up-Late/Katie-Hafner/9780684832678">rapid, global scaling of the internet</a>. A variety of governments, including the United States, eventually came out in support of <a href="https://techdifferences.com/difference-between-tcp-ip-and-osi-model.html">OSI</a> but too late to make a difference. TCP/IP made the internet cheaper, more innovative and less tied to official government standards.</p>
<p><iframe id="IaDfV" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/IaDfV/1/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<h2>1996: Online speech regulated</h2>
<p>By 1996, the internet boasted more than 73,000 servers, and 22% of <a href="https://www.people-press.org/1996/12/16/online-use/">surveyed Americans</a> were going online. What they found there, though, worried some members of Congress and their constituents – particularly the rapidly growing amount of <a href="https://www.eff.org/issues/cda230">pornography</a>.</p>
<p>In response, Congress passed the <a href="https://www.britannica.com/topic/Communications-Decency-Act">Communications Decency Act</a>, which sought to regulate indecency and obscenity in cyberspace.</p>
<p>The Supreme Court <a href="https://www.wired.com/1997/06/cda-struck-down/">struck down</a> portions of the law on free-speech grounds the next year, but it left in place <a href="https://theconversation.com/the-law-that-made-facebook-what-it-is-today-93931">Section 230</a>, which stated: “<a href="https://www.law.cornell.edu/uscode/text/47/230">No provider or user of an interactive computer service</a> shall be treated as the publisher or speaker of any information provided by another information content provider.”</p>
<p>Those 26 words, as <a href="https://www.wsj.com/articles/the-twenty-six-words-that-created-the-internet-review-protecting-the-providers-11566255518">various observers have noted</a>, released internet service providers and web-hosting companies from legal responsibility for information their customers posted or shared online. This single sentence <a href="https://www.wired.com/story/fight-over-section-230-internet-as-we-know-it/">provided legal security</a> that allowed the U.S. technology industry to flourish. That protection let companies feel comfortable creating a consumer-focused internet, filled with grassroots media outlets, bloggers, customer reviews and user-generated content. </p>
<p>Critics note that Section 230 also allows social media sites like <a href="https://theconversation.com/the-law-that-made-facebook-what-it-is-today-93931">Facebook and Twitter to operate largely without regulation</a>. </p>
<h2>1998: US government steps up</h2>
<p>The TCP/IP addressing scheme required that every computer or device connected to the internet have its own unique address – which, for computational reasons, was a string of numbers like “192.168.2.201.” </p>
<p>But that’s hard for people to remember – it’s much easier to recall something like “indiana.edu.” There had to be a centralized record of which names went with which addresses, so people didn’t get confused, or end up visiting a site they didn’t intend to.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=652&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=652&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=652&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=820&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=820&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297433/original/file-20191016-98644-sdz1ib.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=820&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">For years, Jon Postel held the reins to the internet’s address system.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/8212496@N06/2380082505">Jon Postel/Flickr</a></span>
</figcaption>
</figure>
<p>Originally, starting in the late 1960s, that record was kept on a floppy disk by a man named <a href="http://news.bbc.co.uk/2/hi/science/nature/196487.stm">Jon Postel</a>. By 1998, though, he and others were pointing out that such a significant amount of power <a href="https://www.wired.com/2012/10/joe-postel/">shouldn’t be held by just one person</a>. That year saw the U.S. Department of Commerce lay out a plan to transition control to a new private nonprofit organization, the Internet Corporation for Assigned Names and Numbers – better known as ICANN – that would manage internet addresses around the world.</p>
<p>For nearly 20 years, ICANN did that work under a contract from the Commerce Department, though <a href="https://www.theguardian.com/technology/2015/sep/21/icann-internet-us-government">objections over U.S. government control</a> grew steadily. In 2016, the Commerce Department contract expired, and ICANN’s governance continued its shift toward a <a href="https://www.icann.org/community">broader, more globalized structure</a>.</p>
<p>Other groups that manage key aspects of internet communications have different structures. The Internet Engineering Task Force, for instance, is a <a href="https://www.ietf.org/about/participate/get-started/">voluntary technical organization</a> open to anyone. There are <a href="https://www.ietf.org/about/participate/tao/">drawbacks to that approach</a>, but it would have lessened both the reality and perception of U.S. control.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/297435/original/file-20191016-98661-1j3cbop.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">This 2007 photo shows an Iranian nuclear enrichment facility in Natanz, which was apparently the target of the first known cyberweapon to cause physical damage.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/IRAN-NUCLEAR/56c235b2a1b24a63a73c8f0420940323/63/0">AP Photo/Hasan Sarbakhshian</a></span>
</figcaption>
</figure>
<h2>2010: War comes online</h2>
<p>In June 2010, <a href="https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/">cybersecurity researchers revealed</a> the discovery of a sophisticated cyber weapon called Stuxnet, which was designed specifically to target equipment used by Iran’s effort to develop nuclear weapons. It was among the first known digital attacks that <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">actually caused physical damage</a>. </p>
<p>Almost a decade later, it’s clear that Stuxnet opened the eyes of governments and other online groups to the possibility of wreaking significant havoc through the internet. These days, nations use cyberattacks with increasing regularity, attacking a range of <a href="https://www.wsj.com/articles/u-s-launched-cyberattacks-on-iran-11561263454">military</a> and even <a href="https://www.forbes.com/sites/zakdoffman/2019/08/10/state-sponsored-cyberattacks-challenge-the-very-concept-of-war-report/#4766a17154d6">civilian</a> targets.</p>
<p>There’s certainly <a href="https://theconversation.com/in-a-world-of-cyber-threats-the-push-for-cyber-peace-is-growing-119419">cause for hope for online peace and community</a>, but these decisions – along with many others – have shaped cyberspace and with it millions of people’s daily lives. Reflecting on those past choices can help inform upcoming decisions – such as how international law should <a href="https://www.lawfareblog.com/international-law-and-cyberspace-evolving-views">apply</a> to cyberattacks, or whether and how to <a href="https://www.forbes.com/sites/cognitiveworld/2019/03/02/artificial-intelligence-regulation-will-be-impossible/#1e98082c11ed">regulate</a> artificial intelligence. </p>
<p>Maybe 50 years from now, events in 2019 will be seen as another key turning point in the development of the internet.</p>
<p><em>Correction: This article was updated Oct. 31, 2019, to clarify the description of ICANN’s governance system.</em></p>
<p>[ <em>Insight, in your inbox each day.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=insight">You can get it with The Conversation’s email newsletter</a>. ]</p><img src="https://counter.theconversation.com/content/123114/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Scott Shackelford is a principal investigator on grants from the Hewlett Foundation, Indiana Economic Development Corporation, and the Microsoft Corporation supporting both the Ostrom Workshop Program on Cybersecurity and Internet Governance and the Indiana University Cybersecurity Clinic.
</span></em></p>The first internet communication was underwhelming, thanks to a computer crash. But a lot has happened since then – including key decisions that helped build the internet of today.Scott Shackelford, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1187062019-07-12T09:35:51Z2019-07-12T09:35:51ZFour ways blockchain could make the internet safer, fairer and more creative<figure><img src="https://images.theconversation.com/files/283726/original/file-20190711-173351-bhc1jk.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C8124%2C4986&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/blockchain-technology-information-blocks-cyberspace-decentralized-1134313550?src=Ygq-b0Vg6VDFi07rDI8GDA-1-55&studio=1">Yurchanka Siarhei/Shutterstock</a></span></figcaption></figure><p>The internet is unique in that it has no central control, administration or authority. It has given everyone with access to it a platform to express their views and exchange ideas with others instantaneously. But in recent years, internet services such as search engines and social media platforms have increasingly been provided by a small number of very large tech firms. </p>
<p>On the face of it, companies such as Google and Facebook claim to provide a free service to all their users. But in practice, they harvest huge amounts of personal data and sell it on to others for profit. They’re able to do this every time you log into social media, ask a question on a search engine or store files on a cloud service. The internet is slowly turning into something like the current financial system, which centrally monitors all transactions and uses that data to predict what people will buy in future.</p>
<p>This type of monitoring has huge implications for the privacy of ordinary people around the world. The digital currency <a href="https://bitcoin.org/bitcoin.pdf">Bitcoin</a>, which surfaced on the internet in 2008, sought to break the influence that large, private bodies have over what we do online. The researchers had finally solved one of the biggest concerns with digital currencies – that they need central control by the companies that operate them, in the same way traditional currencies are controlled by a bank. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/283763/original/file-20190711-173351-1646hx0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/283763/original/file-20190711-173351-1646hx0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/283763/original/file-20190711-173351-1646hx0.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/283763/original/file-20190711-173351-1646hx0.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/283763/original/file-20190711-173351-1646hx0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/283763/original/file-20190711-173351-1646hx0.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/283763/original/file-20190711-173351-1646hx0.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Bitcoin was the first application of a blockchain, but the technology shouldn’t stop there.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-vector/bitcoin-physical-bit-coin-digital-currency-674460637?src=l37Sdn0-y_jQyrBkOhfGvA-1-2&studio=1">AnnaGarmatiy/Shutterstock</a></span>
</figcaption>
</figure>
<p>The core idea behind the Bitcoin system is to make all the participants in the system, collectively, the bank. To do this, blockchains are used. Blockchains are distributed, tamper-proof ledgers, which can record every transaction made within a network. The ledger is distributed in the sense that a synchronised copy of the blockchain is maintained by each of the participants in the network, and tamper-proof in the sense that each of the transactions in the ledger is locked into place using a strong encrypting technique called hashing.</p>
<p>More than a decade since this technology emerged, we’re still only beginning to scratch the surface of its potential. People researching it may have overlooked one of its most useful applications – making the internet better for everyone who uses it.</p>
<h2>Help stamp out hate</h2>
<p>In order to use services on the internet such as social media, email and cloud data storage, people need to authenticate themselves to the service provider. The way to do this at the moment is to come up with a username and password and register an account with the provider. But at the moment, there’s no way to verify the user’s identity. Anyone can create an account on platforms like Facebook and use it to spread fake news and hatred, without fear of ever being identified and caught.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/now-theres-a-game-you-can-play-to-vaccinate-yourself-against-fake-news-92074">Now there's a game you can play to 'vaccinate' yourself against fake news</a>
</strong>
</em>
</p>
<hr>
<p>Our idea is to issue each citizen with a digital certificate by first verifying their identity. An organisation like your workplace, university or school knows your identity and is in a position to issue you with a certificate. If other organisations do the same for their members, we could put these certificates on a publicly accessible blockchain and create a <a href="https://www.researchgate.net/publication/317428254_X509Cloud_-_Framework_for_a_ubiquitous_PKI">global protected record</a> of every internet user’s identity.</p>
<p>Since there’d be a means for identifying users with their digital certificate, social media accounts could be linked to real people. A school could create social media groups which could only be accessed if a student had a certificate issued to them by the school, preventing the group being infiltrated by outsiders.</p>
<h2>Never forget a password again</h2>
<p>A user could ask for a one-time password (OTP) for Facebook by clicking an icon on their mobile phone. Facebook would then look up the user’s digital certificate on the blockchain and return an OPT to their phone. The OTP will be encrypted so that it cannot be seen by anyone else apart from the intended recipient. The user would then login to the service using their username and the OTP, thereby eliminating the need to remember passwords. The OTP changes with each login and is delivered encrypted to your phone, so it’s much more difficult to guess or steal a password.</p>
<h2>Vote with your phone</h2>
<p>People are often too busy or reluctant to go to a polling station on voting days. An <a href="https://www.researchgate.net/publication/321803764_THE_FUTURE_OF_E-VOTING">internet voting system</a> could change that. Digital currencies like Zerocash are fully anonymous and can be traced on the blockchain, giving it the basic ingredients for a voting system. Anyone can examine the blockchain and confirm that a particular token has been transferred between two parties without revealing their identities.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/283761/original/file-20190711-173325-14k8q3o.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/283761/original/file-20190711-173325-14k8q3o.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/283761/original/file-20190711-173325-14k8q3o.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/283761/original/file-20190711-173325-14k8q3o.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/283761/original/file-20190711-173325-14k8q3o.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/283761/original/file-20190711-173325-14k8q3o.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/283761/original/file-20190711-173325-14k8q3o.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Blockchain could ensure more people are able to vote.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-vector/flat-isometric-vector-concept-voting-online-1128828170?src=JXxu_LOjRcbkVuds2w7N9Q-1-0&studio=1">TarikVision/Shutterstock</a></span>
</figcaption>
</figure>
<p>Each candidate could be given a digital wallet and each eligible voter given a token. Voters cast their token into the wallet of their preferred candidate using their mobile phone. If the total number of tokens in the wallets is less than or equal to the number issued, then you have a valid poll and the candidate with the most tokens is declared the winner. </p>
<h2>No more tech companies selling your data</h2>
<p>People use search engines everyday, but this allows companies like Google to gather trends, create profiles and sell this valuable information to marketing companies. If internet users were to use a digital currency to make a micropayment – perhaps one-hundredth of a cent – for each search query that they perform, there would be less incentive for a search company to sell their personal data. Even if someone performed a hundred search queries per day they would end up paying only one cent – a small price to pay for one’s privacy.</p>
<p>Blockchain technology started as a means for making online transactions anonymous, but it would be shame for it to stop there. The more researchers like me think about its potential, the more exciting possibilities emerge.</p><img src="https://counter.theconversation.com/content/118706/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Hitesh Tewari receives funding from Science Foundation Ireland (SFI) and Enterprise Ireland (EI). </span></em></p>More than ten years since blockchains were developed, their usefulness is only just being discovered.Hitesh Tewari, Assistant Professor in the School of Computer Science and Statistics, Trinity College DublinLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1172252019-05-22T23:16:42Z2019-05-22T23:16:42ZCompelling people to reveal their passwords is posing a challenge to police and courts<figure><img src="https://images.theconversation.com/files/275728/original/file-20190521-23829-16v7xt8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">As police face greater obstacles with encryption, courts are divided on whether compelling people to reveal their passwords is legal. </span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>If someone was accused of a crime and police suspected that evidence could be found on their phone, would it surprise you to learn that the police can order them to provide their password?</p>
<p>Following <a href="https://www.legislation.gov.uk/ukpga/2000/23/section/49">Britain’s lead</a>, Australia recently <a href="http://www5.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3la.html">passed a law</a> that allows police to compel decryption, which means forcing an accused person to provide their password or unlock a device. However, in Canada and the United States — countries with a constitutional bill of rights — courts are divided on whether compelling a person to reveal their password should be legal. </p>
<p>The issue comes up in cases where police need evidence on a laptop or phone that no company or agency can help them retrieve without a password, or without possibly destroying the data.</p>
<p>Does ordering you to hand over your password entail a form of self-incrimination or a violation of the right to silence? Would granting police the power to compel passwords cross a line centuries old against forcing a person to speak to build the case against them? Or should rights act as a trump card, effectively shutting down prosecutions — leaving victims without justice and shielding criminals from the law? </p>
<p>A <a href="http://canlii.ca/t/hxc08">recent Ontario case</a> is the first in Canada to deal with the matter directly, and highlights what’s at stake. As a law professor focusing on technology and rights, I was keen to see how the court would resolve these issues.</p>
<h2>Warrants for electronic data</h2>
<p>In the 2019 case of <a href="http://canlii.ca/t/hxc08">R v. Shergill</a>, the accused was charged with a series of sexual and child pornography offences involving a 15-year-old girl. Police obtained his phone upon arrest and a warrant to search it, but couldn’t open it without a password. </p>
<p>There are at present no powers in Canadian law that explicitly authorize police to compel an accused to provide a password or unlock a device. But courts do have the power to compel a person to help police do something to execute a warrant. </p>
<p>The Crown in Shergill asked the judge for an <a href="http://www.criminal-code.ca/criminal-code-of-canada-section-487-02-assistance-order/index.html">assistance order</a> that would compel the accused to open his phone. In response, the defence argued that doing so would offend <a href="https://www.justice.gc.ca/eng/csj-sjc/rfc-dlc/ccrf-ccdl/">Canada’s Charter of Rights and Freedoms</a>. </p>
<p>Drawing on American case law, the Crown responded that an order to compel a password would be Charter-compliant for two reasons.</p>
<h2>Complying with the Charter</h2>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=930&fit=crop&dpr=1 600w, https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=930&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=930&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1169&fit=crop&dpr=1 754w, https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1169&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/275938/original/file-20190522-187185-1tarx93.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1169&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A 1987 stamp showing the Canadian Charter of Rights and Freedoms, which protects individuals from self-incrimination.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>First, the Canadian Charter of Rights and Freedoms does not rule out all forms of compulsion: it permits an accused person to be forced to provide fingerprints, breath and DNA samples. It only prevents the Crown from compelling the accused to <em>testify</em>. </p>
<p>The Crown conceded that handing over a password is a form of testimony, but says the data on the phone is not. Since the data existed before the investigation, compelling an accused person to reveal their password does not force the accused to assist in creating the evidence against them; it only forces them to reveal that they know the password, a fact the court can exclude from the evidence considered in the trial.</p>
<p>Some scholars have gone further, <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3331348">arguing that a password shouldn’t even be considered testimony</a>, since it doesn’t serve the same expressive function as other forms of speech traditionally protected under the Constitution, such as art or political opinion.</p>
<p>The purpose of compelling an accused to reveal their password is not to conscript the accused in helping the prosecution build a case: it simply enables the state to access evidence to which it is lawfully entitled.</p>
<h2>The weight of tradition</h2>
<p>Justice Philip Downes, who presided over R v. Shergill, disagreed, setting out reasons that closely parallel the prevailing view on password compulsion in U.S. courts. </p>
<p>The act of providing a password or unlocking a phone is a form of testimony, because it entails communicating something that exists only in one’s mind. It is closer in nature to revealing the combination of a safe rather than handing over a physical key.</p>
<p>The data on a phone is also closely tied to the password. In practical terms, since police are unlikely to access the phone’s data without the password, it is unrealistic to say that when an accused is compelled to unlock a phone, the data pre-exists being compelled to do so. Essentially, by handing over their password, the accused creates the evidence used against them.</p>
<p>The judge conceded that encryption poses a serious hurdle for police. Constitutional rights should not serve as an absolute trump card over the state’s interest. But the breach of the accused’s rights here was fundamental in nature and the weight of authority favoured the accused.</p>
<h2>Passwords as testimony</h2>
<p>The debate in Canada and the U.S. over whether password compulsion is legal turns on the same core issues: is a password a form of testimony? Does the accused help to create the case against them by unlocking a phone? And what is the state’s interest here? Does encryption pose an insurmountable hurdle to prosecution, or is it often only a matter of convenience? </p>
<p>Some law scholars argue that with <a href="https://cyber.harvard.edu/pubrelease/dont-panic/">an ever-growing abundance of other sources of data</a>, compelled decryption is really only a matter of convenience. Others argue that in serious cases — murder, sexual assault — we can’t always <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2826869">find a true substitute for the data we fail to access behind encryption</a>.</p>
<p>One possible way forward is to engage in a balancing of interests on a case-by-case basis, similar to what we do when we decide whether evidence obtained in violation of rights should still be admissible. In each case, we could weigh the severity of the breach with the seriousness of the offence.</p>
<p>Regardless of the solution, however, the problem that data encryption poses to law enforcement continues to pose a challenge. For a society that values the rule of law, it will force us to make hard choices between liberty and justice.</p><img src="https://counter.theconversation.com/content/117225/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Diab does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>In a recent Canadian court case, defence and prosecution argued over whether a suspect was required to provide his password to allow for a search warrant to be executed on his phone.Robert Diab, Associate Professor, Faculty of Law, Thompson Rivers UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1127592019-03-03T15:10:56Z2019-03-03T15:10:56ZRegulations needed after cryptocurrency CEO takes passwords to his grave<figure><img src="https://images.theconversation.com/files/261543/original/file-20190228-106347-da6xfg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Canadian CEO Gerald Cotten died in December, taking to his grave the passwords to unlock his cryptocurrency clients' millions. </span> <span class="attribution"><span class="source">Dmitry Moraine/Unsplash</span></span></figcaption></figure><p>A <a href="https://globalnews.ca/news/5001993/quadrigacx-ceo-chief-restructuring/">high-stakes legal drama</a> featuring cryptocurrencies has been unfolding in a Canadian court recently.</p>
<p>The antics that led to the litigation almost defy credulity, and they highlight the need for new regulations to better suit a financial marketplace that includes virtual currencies.</p>
<p><a href="https://www.coindesk.com/quadriga-creditor-protection-filing">News broke</a> in early February that Canadian cryptocurrency exchange QuadrigaCX was seeking creditor protection, leaving in financial limbo about 115,000 people who had entrusted the firm to maintain their deposits of cash, Bitcoins and other digital tokens worth an estimated C$250 million.</p>
<p>The company’s need for bankruptcy protection arose when its founder and chief operator, Gerald Cotten, <a href="https://www.huffingtonpost.ca/2019/02/04/canadian-ceo-gerald-cotten-dies-with-passwords-to-unlock-crypto-clients-190-million_a_23661485/">died suddenly in December while vacationing in India</a>. Normally, if a financial institution’s executive officer meets an untimely demise, he or she doesn’t bring to the afterworld the only keys to the vault. And thus clients maintain continued access their deposited funds all the while.</p>
<p>In the case of Quadriga, unfortunately, Cotten was the only living soul who knew the password to an encrypted offline repository, known as cold storage, where the firm had enshrined the vast majority of clients’ cryptocurrency deposits. Without the password, no one can access those holdings.</p>
<h2>Murky or absent regulations</h2>
<p>While the Nova Scotia Supreme Court wades its way through some very novel and complex issues, the question that comes to my mind is: How has one bad decision about password custodianship caused more than 100,000 people to lose access to their deposits?</p>
<p>The answer lies in the murky and mostly lacking regulations that govern the cryptocurrency world. Nothing stops entrepreneurs like Cotten from running companies like Quadriga with no independent oversight. </p>
<p>Had he ever raised equity capital from investors in return for tokens or coins, that process would have been governed by Canadian securities regulations. But because Quadriga is an exchange — maintaining deposits and facilitating conversions between regular cash and cryptocurrencies, but not issuing cryptocurrencies in exchange for ownership shares — it operates in a regulatory vacuum.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/261545/original/file-20190228-106362-1fduezw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/261545/original/file-20190228-106362-1fduezw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=439&fit=crop&dpr=1 600w, https://images.theconversation.com/files/261545/original/file-20190228-106362-1fduezw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=439&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/261545/original/file-20190228-106362-1fduezw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=439&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/261545/original/file-20190228-106362-1fduezw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=552&fit=crop&dpr=1 754w, https://images.theconversation.com/files/261545/original/file-20190228-106362-1fduezw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=552&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/261545/original/file-20190228-106362-1fduezw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=552&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Stakeholders show up at Nova Scotia Supreme Court as Canada’s largest cryptocurrency exchange seeks creditor protection in the wake of the sudden death of its founder and chief executive in December.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Andrew Vaughan</span></span>
</figcaption>
</figure>
<p>In Canada, the <a href="http://www.osfi-bsif.gc.ca/eng/Pages/default.aspx">Office of Superintendent of Financial Institutions</a> (OFSI) oversees banks that take regular dollar deposits. One might argue that the OFSI umbrella ought to be adapted to include oversight of virtual exchanges like Quadriga, even though such institutions are not technically banks and their deposits are non-traditional in nature.</p>
<p>That oversight would impose accounting standards and reporting requirements that would help prevent the sorts of irresponsible missteps that put Quadriga depositors in such a precarious position. </p>
<p>A likely side benefit of regulatory supervision would be the eventual development of standardized safeguards against hackers and other cybercriminal activity that plagues the cryptocurrency world.</p>
<h2>Lack of regulations attractive to some</h2>
<p>A feature that draws many crypto enthusiasts to the virtual currency sector is the very fact that it lacks government oversight, and those individuals will bristle at any hint of new regulations.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/beyond-bitcoin-the-power-struggle-over-trust-based-technology-84367">Beyond Bitcoin: The power struggle over trust-based technology</a>
</strong>
</em>
</p>
<hr>
<p>Members of the general public might also be leery of new laws lest they grant an undeserved sheen of legitimacy to cryptocurrencies, which are not suitable investments for anyone except the most risk-loving of speculators.</p>
<p>But in Canada, we regulate many industries that are risky or distasteful to some, including gambling, alcohol, tobacco and marijuana. The underlying calculus is that providing standards for certain illicit activities is preferable to driving those activities to the black market, where the risks would be amplified.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=656&fit=crop&dpr=1 600w, https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=656&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=656&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=825&fit=crop&dpr=1 754w, https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=825&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/261544/original/file-20190228-106347-1ny1lyy.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=825&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Three cheers for avoiding blindness! Regulation of a variety of illicit activities is generally beneficial.</span>
<span class="attribution"><span class="source">MaxPixel</span>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>For instance, a benefit of buying my beloved guilty pleasure of choice, craft gins, from a regulated marketplace is that I can imbibe confident in the knowledge that my cocktails are free from wood alcohol. Three cheers for avoiding blindness! </p>
<p>We cannot protect Canadians from all possible risks, especially when it comes to financial markets. And to be clear, I am not suggesting that we indemnify cryptocurrency speculators against losses that may arise from taking calculated risks, such as the beating that some fortune-seekers have taken since Bitcoin valuations plummeted from stratospheric heights. </p>
<p>Rather, I propose that depositors ought not to be penalized for the indiscretions of the custodians to whom they entrust their financial holdings.</p>
<p><em>This is a corrected version of a story originally published on March 3, 2019. The earlier story said US$250 million instead of C$250 million.</em></p><img src="https://counter.theconversation.com/content/112759/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Lisa Kramer receives funding from the Social Sciences and Humanities Research Council of Canada. </span></em></p>The CEO of a Canadian cryptocurrency company died recently, and took his passwords with him, leaving his clients high and dry. The debacle illustrates again that cryptocurrencies should be regulated.Lisa Kramer, Professor of Finance, University of TorontoLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1105572019-02-14T11:47:49Z2019-02-14T11:47:49ZA secure relationship with passwords means not being attached to how you pick them<figure><img src="https://images.theconversation.com/files/258020/original/file-20190208-174883-1f0d4fz.jpg?ixlib=rb-1.1.0&rect=239%2C0%2C4072%2C3325&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Many people don't want to let go of how they create passwords.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/brunette-woman-hug-laptop-computer-she-34576777">Tono Balaguer/Shutterstock.com</a></span></figcaption></figure><p>When you are asked to create a password – either for a new online account or resetting login information for an existing account – you’re <a href="https://doi.org/10.4018/joeuc.2004070103">likely to choose a password you know you can remember</a>. Many people use <a href="https://www.theverge.com/2018/12/13/18139431/donald-trump-2018-worst-password-splashdata">extremely basic passwords</a>, or a more obscure <a href="https://pixelprivacy.com/resources/reusing-passwords/">one they reuse across many sites</a>. <a href="https://doi.org/10.1016/j.cose.2018.12.018">Our research</a> has found that others – even ones who use different passwords for each site – have a method of devising them, for instance basing them all on <a href="https://www.troyhunt.com/science-of-password-selection/">a familiar phrase and making site-specific tweaks</a>.</p>
<p>In all those cases, the people are creating weak passwords that are easily guessed – especially when up against automated password-cracking software that can test <a href="https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/">thousands of possibilities a second</a>. One reason for this weakness might well be their users’ emotional connection to their preexisting password creation routine. </p>
<p>Cybersecurity efforts often encourage people to choose stronger passwords, but rarely acknowledge the idea that people have this feeling of attachment. They focus on the measurable improvement in security without realizing they’re trying to persuade people to switch to a <a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">less personal method</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=487&fit=crop&dpr=1 600w, https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=487&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=487&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=612&fit=crop&dpr=1 754w, https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=612&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/258244/original/file-20190211-174864-1esxtyw.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=612&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">There’s a better way to choose a secure password.</span>
<span class="attribution"><a class="source" href="https://xkcd.com/936/">XKCD</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<h2>Insecure tendencies</h2>
<p><a href="https://www.veridiumid.com/blog/new-study-confirms-passwords-are-weakest-link-in-security/">Passwords are key to cybersecurity</a> for people and companies. A single bad password can grant a hacker access to an <a href="https://www.nopsec.com/weak-passwords-exploit/">entire network of computers and data-storage servers</a>.</p>
<p>As a result, many computer systems <a href="https://www.us-cert.gov/ncas/tips/ST04-002">force users to create new passwords regularly</a> – say, every 30 or 45 days – and require every password to contain capital letters, numbers and punctuation characters even though <a href="https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/">federal experts advise against</a> both of these practices. Regularly requiring people to choose new passwords that are hard to remember leads to unfortunate side effects. People could <a href="https://www.pandasecurity.com/mediacenter/security/password-reuse/">reuse a strong password</a> on several sites, or they could write down the new password – which is <a href="https://theconversation.com/clean-up-your-cyber-hygiene-6-changes-to-make-in-the-new-year-108565">safe only if you trust the other people</a> who have access where you store the record.</p>
<p>Training people to create secure passwords <a href="https://www.cscan.org/?page=openaccess&eid=17&id=289">hasn’t made much of a difference</a> to overall password security on the internet. People may <a href="https://www.pcworld.com/article/260453/users_are_still_the_weakest_link.html">not understand the risks</a> related to weak passwords – though some experts blame <a href="https://www.information-age.com/employees-businesses-weakest-link-123470435/">character flaws</a>, <a href="https://www.cio.com/article/2372868/enterprise-software/stupid-users-are-so-stupid.html">stupidity</a> or <a href="https://www.ghacks.net/2018/12/16/weak-passwords-2/">just plain indifference</a>. </p>
<h2>The endowment effect</h2>
<p><a href="https://doi.org/10.1016/j.cose.2018.12.018">Our research</a> has identified another explanation for why people choose weak passwords: People feel that they own, and are emotionally attached to, the way they usually create passwords. In behavioral economics, this kind of response is called the <a href="https://dictionary.apa.org/endowment-effect">endowment effect</a>, in which people so <a href="https://www.businessinsider.com/endowment-effect-why-people-overvalue-things-2016-4?r=US&IR=T">overvalue their existing possessions</a> that they <a href="http://doi.org/10.1257/jep.5.1.193">don’t want to exchange them for other items</a> – even if the new item is better or more valuable.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=873&fit=crop&dpr=1 600w, https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=873&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=873&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1097&fit=crop&dpr=1 754w, https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1097&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/258023/original/file-20190208-174864-11dkij6.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1097&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Seriously, it’s time to replace this old clothes washer.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/old-washing-machine-isolated-on-white-158573060">Dja65/Shutterstock.com</a></span>
</figcaption>
</figure>
<p>The endowment effect is usually applied to physical goods – and may help explain why your grandmother doesn’t want to get a new washing machine to replace her decades-old one. Our research suggests that the same psychological process influences how people contemplate their password creation routines.</p>
<p>In our study, we asked 419 participants how they created their passwords. Many used something they already knew, such as a pet name or their own birthday. Others had developed a personal system. They might have a root password and then personalize it for every different site, use a pattern on the keyboard or make up a silly sentence.</p>
<p>When we probed more deeply, we found that people felt a sense of ownership and personal pride about their password creation routine. One said “I think my way is a good system.” In addition, we found that they overvalued their own method and felt threatened by suggestions that it was flawed. </p>
<p>We provided a scenario where “Terry” derides “Pat’s” password creation routine, and then asked people how they thought Pat would react. The most popular responses were: becoming defensive, avoiding the conversation or withdrawing from it. All of these suggest that a critique of a personal password routine was perceived as an attack or a threat. </p>
<p>These answers we found lined up perfectly with the endowment effect, including finding that the participants labored under the illusion that their passwords provided more protection than they actually did.</p>
<h2>More than just a habit</h2>
<p>The attachment people feel to their password-choosing method is more than just a habit. Psychologically speaking, a habit is a <a href="https://charlesduhigg.com/the-power-of-habit/">behavior cued by an event</a> or an item in the environment – like brushing teeth before bed, washing hands before meals or switching off lights when leaving a room. They’re often nearly automatic, and don’t require a deliberate decision or much thought. Something that’s a habit seems to occur naturally, without any deliberate decision triggering its activation.</p>
<p>Choosing a password is different. It always requires deliberate and effortful cognition. That’s what brings the endowment effect into play. Cybersecurity training programs should include information not only about <a href="https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/">how to choose</a> more secure passwords, but also should acknowledge that users may feel a sense of loss about the change. </p>
<p>People won’t pick stronger passwords just because they’re asked to. If they feel their existing methods are being treated with disdain, they might perceive that as a personal attack, and become even less likely to adopt more secure practices.</p>
<p>Instead, security experts should find ways to minimize users’ sense of loss – and perhaps even encourage them to find a new emotional connection to a more secure method of choosing.</p><img src="https://counter.theconversation.com/content/110557/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>When it comes to picking a new password, people’s resistance to change can make them less secure online.Merrill Warkentin, James J. Rouse Endowed Professor of Information Systems, Mississippi State UniversityKaren Renaud, Professor of Cybersecurity, Abertay UniversityRobert Otondo, Associate Professor of Information Systems, Mississippi State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1097632019-01-18T11:41:54Z2019-01-18T11:41:54ZData breaches are inevitable – here’s how to protect yourself anyway<figure><img src="https://images.theconversation.com/files/253772/original/file-20190114-43507-19iwykn.jpg?ixlib=rb-1.1.0&rect=108%2C65%2C4716%2C4058&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Prepare to protect yourself.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/lightning-strikes-knight-on-battlefield-440619679">FXQuadro/Shutterstock.com</a></span></figcaption></figure><p>It’s tempting to give up on data security altogether, with all the billions of pieces of personal data – <a href="https://www.foxnews.com/tech/oklahoma-government-data-leak-exposed-fbi-investigations-emails-dating-back-17-years-social-security-numbers">Social Security numbers</a>, credit cards, home addresses, phone numbers, <a href="https://www.zdnet.com/article/over-87gb-of-email-address-and-passwords-exposed-in-collection-1-dump/">passwords and much more</a> – <a href="https://finance.yahoo.com/news/tell-account-1-50-million-213639244.html">breached</a> and <a href="http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/">stolen in recent years</a>. But that’s not realistic – nor is the idea of going offline entirely. In any case, <a href="https://theconversation.com/equifax-breach-is-a-reminder-of-societys-larger-cybersecurity-problems-84034">huge data-collection corporations</a> vacuum up data about almost every American without their knowledge.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1072172860972650498"}"></div></p>
<p>As <a href="https://scholar.google.com/citations?user=YBp-2_4AAAAJ&hl=en">cybersecurity</a> <a href="https://scholar.google.com/citations?user=fUzQI8wAAAAJ&hl=en">researchers</a>, we offer good news to brighten this bleak picture. There are some simple ways to protect your personal data that can still be effective, though they involve changing how you think about your own information security.</p>
<p>The main thing is to assume that you are a target. Though most individual people aren’t specifically being watched, software that mines massive troves of data – enhanced by artificial intelligence – can target vast numbers of people almost as easily as any one person. Think defensively about how you can protect yourself from an almost inevitable attack, rather than assuming you’ll avoid harm.</p>
<h2>What’s most important now?</h2>
<p>That said, it’s unproductive and frustrating to think you must pay attention to every possible avenue of attack. Simplify your approach by focusing on what information you most want to protect. </p>
<p>Covering the obvious, <a href="https://theconversation.com/the-petya-ransomware-attack-shows-how-many-people-still-dont-install-software-updates-77667">keep your software up-to-date</a>. Software companies issue updates when they fix <a href="https://theconversation.com/what-are-software-vulnerabilities-and-why-are-there-so-many-of-them-77930">security vulnerabilities</a>, but if you don’t download and install them, you’re leaving yourself unprotected from malware such as <a href="https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-a-keylogger/">keystroke loggers</a>. Also, <a href="https://theconversation.com/spearphishing-roiled-the-presidential-campaign-heres-how-to-protect-yourself-68274">be smart about what links you click</a> in your email or when browsing the web – you could inadvertently download malicious software to your phone or computer, or allow hackers access to your online accounts. </p>
<p>In terms of online data, the most important information to protect is your login credentials for key accounts – like banking, government services, email and social media. You can’t do much about how well websites and companies safeguard your information, but you can make it harder for hackers to get into your account, or at least more than one of them.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=397&fit=crop&dpr=1 600w, https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=397&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=397&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=499&fit=crop&dpr=1 754w, https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=499&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/253773/original/file-20190114-43517-10199bh.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=499&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Reusing login names and passwords is a significant risk.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/login-password-on-computer-screen-80294515">Mihai Simonia/Shutterstock.com</a></span>
</figcaption>
</figure>
<p>How? The first step is to use a different username and password on each crucial site or service. This can be complicated by sites’ limits on username options – or their dependence on email addresses. Similarly, many sites have requirements on passwords that limit their length or the number or type of characters that they can include. But do your best.</p>
<p>The reason for this is straightforward: When a bunch of usernames and passwords fall into malicious hands, hackers know it’s human nature to <a href="https://www.zdnet.com/article/repeat-after-me-reusing-passwords-is-bad/">repeat usernames and passwords across many sites</a>. So they <a href="https://finance.yahoo.com/news/1-9-billion-stolen-passwords-173207888.html">almost immediately start trying those combinations</a> anywhere they can – like major banks and email services. A chief information security officer we know in the banking industry told us that after the <a href="https://www.nbcnews.com/tech/tech-news/yahoo-pay-50m-offer-credit-monitoring-massive-security-breach-n923531">Yahoo breach of a few years ago</a>, banking sites were hit with multiple attempts to log in with credentials stolen from Yahoo. </p>
<h2>Use long passwords</h2>
<p>There has been a lot of research about what <a href="https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/">makes a strong password</a> – which has often led to many people using complex passwords like “7hi5!sMyP@s4w0rd.” But more recent research suggests that what matters much more is that <a href="https://crambler.com/password-security-why-secure-passwords-need-length-over-complexity/">passwords are long</a>. That’s what makes them <a href="https://www.betterbuys.com/estimating-password-cracking-times/">more resistant to an attempt to guess them</a> by trying many different options. Longer passwords don’t have to be harder to remember: They could be easily recalled phrases like “MyFirstCarWasAToyotaCorolla” or “InHighSchoolIWon9Cross-CountryRaces.” </p>
<p>It can be daunting to think about remembering all these different usernames and passwords. Password management software can help – though choose carefully as more than one of them have <a href="https://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571">been</a> <a href="https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/">breached</a>. It can be even safer – despite conventional wisdom and decades of security advice – to write them down, so long as you trust everyone who has access to your home. </p>
<h2>Use a third line of defense</h2>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=250&fit=crop&dpr=1 600w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=250&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=250&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=314&fit=crop&dpr=1 754w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=314&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=314&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Have hackers driven us back to the age of the physical key?</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File%3AU2F.USB-Token.jpg">Bautsch</a></span>
</figcaption>
</figure>
<p>To add <a href="https://theconversation.com/clean-up-your-cyber-hygiene-6-changes-to-make-in-the-new-year-108565">another layer of protection</a> – including against troublesome housemates – many sites (<a href="https://www.google.com/landing/2step/">Google</a>, for example) let you turn on what’s called multi-factor authentication. This can be an app on your smartphone that generates a numeric code every 30 seconds or so, or a physical item you <a href="https://theconversation.com/the-age-of-hacking-brings-a-return-to-the-physical-key-73094">plug into your computer’s USB port</a>. While they can <a href="https://www.howtogeek.com/361244/sms-two-factor-auth-isn%E2%80%99t-perfect-but-you-should-still-use-it/">afford at least some protection</a>, <a href="https://theconversation.com/encrypted-smartphones-secure-your-identity-not-just-your-data-91715">be wary of sites</a> that send you a <a href="https://www.computerweekly.com/news/252455536/2FA-bypass-tool-highlights-top-business-security-vulnerabilities">text with a code</a>; <a href="http://fortune.com/2016/07/26/nist-sms-two-factor/">that method</a> <a href="https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin">is vulnerable</a> <a href="https://www.theverge.com/2018/11/16/18098286/vovox-security-breach-two-factor-authentication-2fa-codes-exposed">to interception</a>.</p>
<p>With these straightforward steps – and the new mindset of thinking like a target who wants to avoid getting hit – you’ll be far less worried when news breaks of the next breach of some company’s enormous data files. Bad guys may get one of your usernames, and maybe even one of your passwords – so you’ll have to change those. But they won’t have all your credentials for all your online accounts. And if you use multi-factor authentication, the bad guys might not even be able to get into the account whose credentials they just stole.</p>
<p>Focus on what’s most important to protect, and use simple – but effective – methods to protect yourself and your information.</p><img src="https://counter.theconversation.com/content/109763/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Think defensively about your online accounts and data security – and don’t assume you’ll avoid harm.W. David Salisbury, Sherman-Standard Register Professor of Cybersecurity Management, Director Center for Cybersecurity & Data Intelligence, University of DaytonRusty Baldwin, Distinguished Research Professor of Computer Science; Director of Research, Center for Cybersecurity and Data Intelligence, University of DaytonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1090632019-01-01T23:30:52Z2019-01-01T23:30:52ZMarriott data breach: 500 million times concerned<p>On November 30, 2018, <a href="http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/">Marriott International announced</a> an enormous data breach concerning <a href="https://answers.kroll.com/">500 million clients</a>, the second biggest ever. With new data breaches being announced almost daily, you have to ask yourself, how is this possible?</p>
<p>Given the number and the magnitude of all the data breaches, stealing data on the Internet seems easy. However, hackers’ failures are not much reported, since as for any crime, their unsuccessful attempts are by nature hidden. Clearly, criminals keep trying to break information systems, at least because there are plenty of easy targets in cyberspace and because that’s where the money is, as the saying goes. For example, in general, <a href="https://arstechnica.com/information-technology/2015/09/new-stats-show-ashley-madison-passwords-are-just-as-weak-as-all-the-rest/">individuals are not really protected themselves</a>. Many people buy connected devices and forget to change the <a href="http://time.com/5071176/worst-passwords-2017/">default password</a> – it’s like leaving your house keys on the door. Every parent should fear having hackers <a href="https://www.themodernrogue.com/articles/2018/2/22/5-crappy-toys-that-people-hacked-into-awesomeness">talking to kids through their toys</a>.</p>
<p>Also, many small businesses have very often have little or no cybersecurity. In some cases, the hackers could do whatever we want. Once, they stayed <a href="https://www.digitec.ch/fr/page/declaration-concernant-la-fuite-digitec-6265">10 years in the information system of one company</a>. The only good news is the poor quality of the information in their databases. Like: “Mr Smith123 lives in New iork cityu, Thailand, Passeport number: ABCD. Credit Card: Expired five years ago”. With so many errors, such databases are not worth anything.</p>
<h2>Plenty of cases</h2>
<p>Of course, major companies are clearly the targets of skilled hackers. In recent years, plenty of them or their subsidiaries were victims of piracy such as at <a href="https://www.youtube.com/watch?reload=9&v=RrMsxXYjef0">Equifax</a>, <a href="https://www.dw.com/en/yahoo-says-all-3-billion-users-affected-by-2013-hack/a-40793569">Yahoo</a>, <a href="https://www.independent.co.uk/life-style/gadgets-and-tech/facebook-hack-check-if-data-stolen-breach-cyber-attack-account-a8582556.html">Facebook</a>, <a href="https://www.bbc.co.uk/news/technology-42075306">Uber</a>, <a href="https://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/">eBay</a>, <a href="https://www.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282">Home Depot</a>, <a href="https://www.bloomberg.com/news/articles/2017-07-17/fedex-says-tnt-systems-may-never-fully-recover-from-cyberattack">FedEx</a>, <a href="https://www.theregister.co.uk/2014/12/23/jpmorgan_breach_probe_latest/">JP Morgan Chase</a>. In the new <a href="https://www.consumer.ftc.gov/blog/2018/12/marriott-data-breach">Mariott Data Breach</a>, the pirates stayed four years quietly sucking the Marriot information system dry. The criminals were able to getting out sensitive information about the 500 million guests. No problem at Marriot with their new golden rule: <a href="http://marriott-hotels.marriott.com/">“travel brilliantly”</a>, protect strangely, hack splendidly.</p>
<h2>Green flags for hackers</h2>
<p>Looking at the different cases, hackers seem to be looking for Green Flags before acting. Thus, each time a firm launches a new product on a large scale in a very competitive market, and strive to beat competitors, the firm may forget about logistics and cyber security and therefore, this moment could be an opportunity for hackers. Also, the structure of organizations could give a “go” sign to pirates. When the Chief Information Officer reports only to the Chief Financial Officer, a cost reduction strategy may imply low cyber security budgets. When a new CEO screams to investors that it is time for austerity and drops in spending, cyber security programmes could suffer and hackers could be welcome. The <a href="https://www.cnbc.com/2018/11/30/marriott-hack-raises-questions-about-merger-diligence-tools-in-use.html">Marriott case illustrates another green flag moment</a>: a new merger or a great acquisition. Indeed, the hackers may invite themselves to the “wedding”. In such situation, executives are occupied to fight to keep their positions and to influence the business, but at the same time, the difficult integration of different information systems create security issue. The hackers could take this opportunity to break in.</p>
<p>Facing so many cyber security issues, we could question governmental actions. The government defence is very difficult since hacking is more than often transnational and hackers hide their path. For example, the Marriott breach has been linked to <a href="https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html">Chinese Ministry of State Security</a>. Pirates working for abroad and protected by their governments are obviously <a href="https://www.justice.gov/opa/page/file/1098481/download">hard to catch</a>. Curiously, governments could also help pirates. For example, when the <a href="https://www.us-cert.gov/">United States Computer Emergency Readiness Team</a> (CERT) notified the world about the Apache Struts issue, hackers started to surf Internet to look for potential victims. However, the <a href="https://www.gao.gov/products/GAO-18-559">Equifax staff failed to apply patches to the flaw</a> and after 76 days and 9000 queries (of course unnoticed) did Equifax staff start minding about a data breach that concerned over 150 million people.</p>
<h2>No 100% safety on the Internet</h2>
<p>With so much success, the question is: should we be worried? As the <a href="https://www.marriott.co.uk/about/privacy.mi">Marriot website</a> stated: <em>“We seek to use reasonable organizational, technical and administrative measures to protect Personal Data. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.”</em> Indeed, as the Marriott cyber experts: <a href="http://www.govtech.com/security/FBI-Agent-Says-No-Computer-is-Safe.pdf">no safety is possible at 100%</a>. So, all of us should be worried since there is no safe place in cyber space. In the end, whatever the technical layers of security, there is always a human mistake to be made. The hackers are just waiting for it.</p><img src="https://counter.theconversation.com/content/109063/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bertrand Venard is conducting a major research project about cybersecurity behaviour, funded by the European Union (Project Number : 792137). </span></em></p>The November 30, 2018, Marriott International announced a data breach concerning 500 million clients, the second biggest ever. With new data breaches announced nearly every day, how , everyone is now wondering how this was possible.Bertrand Venard, Professor, AudenciaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1085652018-12-28T13:14:43Z2018-12-28T13:14:43ZClean up your cyber-hygiene – 6 changes to make in the new year<figure><img src="https://images.theconversation.com/files/250725/original/file-20181214-185234-d2hoej.jpg?ixlib=rb-1.1.0&rect=510%2C248%2C3851%2C2654&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">What dangerous experiences lurk behind the use of this trackpad?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/miniature-hazmat-hazardous-materials-team-inspects-6114583">Amy Walters/Shutterstock.com</a></span></figcaption></figure><p><a href="https://www.fastcompany.com/90272858/how-our-data-got-hacked-scandalized-and-abused-in-2018">Data breaches</a>, <a href="https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/unseen-threats-imminent-losses">widespread malware attacks</a> and <a href="https://www.nytimes.com/2018/08/16/technology/facebook-microtargeting-advertising.html">microtargeted personalized advertising</a> were lowlights of digital life in 2018. </p>
<p>As technologies change, <a href="https://www.cnet.com/news/father-of-passwords-bill-burr-regrets-the-advice-he-gave/">so does the advice</a> security experts give for how to best stay safe. As 2019 begins, <a href="https://scholar.google.com/citations?user=MKZBcasAAAAJ&hl=en">I’ve pulled together</a> a short list of suggestions for keeping your digital life secure and free of manipulative disinformation. </p>
<h2>1. Set your boundaries and stick to them</h2>
<p>As part of my research, I’ve recently been speaking with a number of sex workers in Europe about their digital security and privacy. One consistent thing I’ve heard from them is, “The best way to stay safe is to set boundaries.” Decide – on your own, and in advance – what data you’re willing to share with apps and online services, and stick to those limits.</p>
<p>That way, when the latest new app asks you for a permission that oversteps what you’re willing to share, you’ll be more prepared to answer. Also set limits on the online discussions you’re willing to participate in; bow out when a discussion is hurting more than helping you. It’s even useful to set boundaries for how much time you’re willing to spend on digital security – which could be an endless task. </p>
<h2>2. Burst your filter bubble</h2>
<p>People who <a href="http://www.pewresearch.org/fact-tank/2018/12/10/social-media-outpaces-print-newspapers-in-the-u-s-as-a-news-source/">get their news primarily</a> – or exclusively – from social media are subjecting themselves to the <a href="https://theconversation.com/social-media-companies-should-ditch-clickbait-and-compete-over-trustworthiness-88827">whims of the algorithms</a> that decide what to display to each user. </p>
<p>Because of how these algorithms work, those people are likely to see articles <a href="http://science.sciencemag.org/content/348/6239/1130">only from news sources they already like</a> and tend to agree with. This isolation from people with other views, and from evidence that might challenge particular perspectives, contributes to <a href="https://arxiv.org/abs/1808.09218">unprecedented levels of partisanship and disagreement</a> in modern society. </p>
<p>Free online tools like <a href="https://www.allsides.com/">AllSides</a> and <a href="https://twitter-app.mpi-sws.org/purple-feed/app-tweet.php?query=All%20High%20Consensus">Purple Feed</a> are some places that show news reports and social media posts from differing political perspectives, and identify information that’s generally agreed upon across the political spectrum. </p>
<h2>3. Manage your passwords</h2>
<p>The biggest threat to password security is no longer the <a href="https://gizmodo.com/the-25-most-popular-passwords-of-2018-will-make-you-fee-1831052705">strength of your passwords</a> but the fact that many people <a href="http://dx.doi.org/10.14722/ndss.2014.23357">reuse the same passwords</a> for all, or many, of their accounts. Researchers are busy designing notifications to tell you when one of these reused passwords has been <a href="https://doi.org/10.1145/3243734.3243767">leaked to the world</a>, but it’s safer to use different passwords, especially for your most valuable accounts.</p>
<p>You can use <a href="https://theconversation.com/using-truly-secure-passwords-6-essential-reads-84092">password manager software</a>. Or, use the original low-tech method, <a href="https://www.vox.com/2014/4/16/5614258/the-best-defense-against-hackers-writer-your-passwords-down-on-paper">writing your passwords down on paper</a>. Believe it or not, it’s much safer to write them down than reuse the same password everywhere. Of course, this is true only if you’re sure the people you live with or frequent visitors to your home won’t try to get into your accounts.</p>
<h2>4. Turn on multi-factor authentication</h2>
<p>Adding an additional step for logging in to your most important social media, email and financial accounts can add lots of protection. Multi-factor authentication systems are best known for texting you a six-digit code to type in as part of your login process. While any multi-factor authentication is better than none, text messages can fairly easily be <a href="https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin">intercepted or spied on</a>. An even <a href="https://theconversation.com/encrypted-smartphones-secure-your-identity-not-just-your-data-91715">safer route</a> is to use a special code-generating app on your phone.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=250&fit=crop&dpr=1 600w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=250&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=250&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=314&fit=crop&dpr=1 754w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=314&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/161839/original/image-20170321-5405-mcf0su.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=314&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A physical item can add login protection.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File%3AU2F.USB-Token.jpg">Bautsch/Wikimedia Commons</a></span>
</figcaption>
</figure>
<p>People who change phones or SIM cards often, or who want additional protection, might consider using a <a href="https://theconversation.com/the-age-of-hacking-brings-a-return-to-the-physical-key-73094">physical key</a> that plugs into your computer to authorize a login. They can take a bit more time to <a href="https://www.yubico.com/setup/">set up initially</a>, but then work much faster than most other methods. </p>
<h2>5. Delete apps you don’t use</h2>
<p>Smartphone apps <a href="https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html">track where you are</a> <a href="https://theconversation.com/your-smartphone-apps-are-tracking-your-every-move-4-essential-reads-108586">very closely</a>, and <a href="https://theconversation.com/7-in-10-smartphone-apps-share-your-data-with-third-party-services-72404">share your location data</a> with advertising and marketing companies.</p>
<p>Just <a href="https://theconversation.com/your-mobile-phone-can-give-away-your-location-even-if-you-tell-it-not-to-65443">carrying a phone in your pocket</a> can give tracking companies clues to where you go and how long you stay, and technical details about your phone can <a href="https://doi.org/10.1007/978-3-319-29883-2_18">offer clues to your identity</a>.</p>
<p>If you don’t use an app anymore, uninstall it from your phone. If you need it again, you can always reinstall it quickly – but in the meantime, it won’t be tracking you around the world and around the web.</p>
<h2>6. Keep the apps you do use up-to-date</h2>
<p>Software companies don’t always know about all the vulnerabilities in their programs – and when they issue updates users don’t always know if they’re <a href="https://www.scientificamerican.com/article/why-installing-software-updates-makes-us-wannacry/">fixing a major problem</a> or something minor. The top piece of advice experts give is to <a href="https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf">keep your software up-to-date</a> on your computers and your mobile devices.</p>
<p>Having spent 2018 worrying about how hackers, <a href="https://theconversation.com/facebook-is-killing-democracy-with-its-personality-profiling-data-93611">corporate executives</a> and <a href="https://theconversation.com/programmers-need-ethics-when-designing-the-technologies-that-influence-peoples-lives-100802">hurried programmers</a> might be trying to exploit your data and your cognitive and digital vulnerabilities, resolve to be more secure in 2019.</p><img src="https://counter.theconversation.com/content/108565/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elissa Redmiles receives funding from the National Science Foundation and Facebook. This funding has no requirements for particular research agendas or disclosures to the funding parties.</span></em></p>Protect yourself from hackers, trolls, bots, social media executives and programmers in need of ethics training.Elissa M. Redmiles, Ph.D. Student in Computer Science, University of MarylandLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/986912018-10-25T10:44:56Z2018-10-25T10:44:56ZMy thoughts are my password, because my brain reactions are unique<figure><img src="https://images.theconversation.com/files/241249/original/file-20181018-67185-dbf3km.png?ixlib=rb-1.1.0&rect=8%2C0%2C466%2C432&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A test subject entering a brain password.</span> <span class="attribution"><span class="source">Wenyao Xu, et al.</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span></figcaption></figure><p>Your brain is an inexhaustible source of secure passwords – but you might not have to remember anything. Passwords and PINs with letters and numbers are <a href="http://time.com/3643678/password-hack/">relatively easily hacked</a>, hard to remember and generally insecure. Biometrics are starting to take their place, with fingerprints, facial recognition and retina scanning becoming common even in routine logins for computers, smartphones and other common devices. </p>
<p>They’re more secure because they’re harder to fake, but biometrics have a crucial vulnerability: A person only has one face, two retinas and 10 fingerprints. They represent passwords that can’t be reset if they’re compromised.</p>
<p>Like usernames and passwords, biometric credentials are vulnerable to data breaches. In 2015, for instance, the database containing the <a href="https://www.nytimes.com/2015/09/24/world/asia/hackers-took-fingerprints-of-5-6-million-us-workers-government-says.html">fingerprints of 5.6 million U.S. federal employees</a> was breached. Those people shouldn’t use their fingerprints to secure any devices, whether for personal use or at work. The next breach might steal photographs or retina scan data, rendering those biometrics useless for security.</p>
<p><a href="https://scholar.google.com/citations?user=dvvN6qsAAAAJ&hl=en">Our</a> <a href="https://scholar.google.com/citations?user=4EPE1s4AAAAJ&hl=en">team</a> has been <a href="https://www.eurekalert.org/pub_releases/2015-06/bu-brt060215.php">working with collaborators</a> at <a href="https://doi.org/10.1016/j.neucom.2015.04.025">other institutions</a> for years, and has invented a new type of biometric that is both uniquely tied to a single human being and can be reset if needed.</p>
<h2>Inside the mind</h2>
<p>When a person looks at a photograph or hears a piece of music, <a href="https://www.encyclopedia.com/medicine/divisions-diagnostics-and-procedures/medicine/electroencephalography">her brain responds</a> in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp. We have discovered that <a href="https://doi.org/10.1109/TIFS.2016.2543524">every person’s brain responds differently</a> to an external stimulus, so even if two people look at the same photograph, readings of their brain activity will be different.</p>
<p>This process is automatic and unconscious, so a person can’t control what brain response happens. And every time a person sees a photo of a particular celebrity, their brain reacts the same way – though differently from everyone else’s.</p>
<p>We realized that this presents an opportunity for a unique combination that can serve as what we call a “<a href="https://doi.org/10.1145/3210240.3210344">brain password</a>.” It’s not just a physical attribute of their body, like a fingerprint or the pattern of blood vessels in their retina. Instead, it’s a mix of the person’s unique biological brain structure and their involuntary memory that determines how it responds to a particular stimulus.</p>
<h2>Making a brain password</h2>
<p>A person’s brain password is a digital reading of their brain activity while looking at a series of images. Just as passwords are more secure if they include different kinds of characters – letters, numbers and punctuation – a brain password is more secure if it includes brain wave readings of a person looking at a collection of different kinds of pictures.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=353&fit=crop&dpr=1 600w, https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=353&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=353&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=444&fit=crop&dpr=1 754w, https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=444&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/241253/original/file-20181018-67173-hpu8qo.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=444&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A range of visual stimuli generates the best brain password.</span>
<span class="attribution"><span class="source">Wenyao Xu, et al.</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>To set the password, the person would be authenticated some other way – such as coming to work with a passport or other identifying paperwork, or having their fingerprints or face checked against existing records. Then the person would put on a soft comfortable hat or padded helmet with electrical sensors inside. A monitor would display, for example, a picture of a pig, Denzel Washington’s face and the text “Call me Ishmael,” the opening sentence of Herman Meville’s classic “Moby-Dick.”</p>
<p>The sensors would record the person’s brain waves. Just as when <a href="https://www.macworld.co.uk/how-to/iphone/how-use-touch-id-finger-scanning-passcode-3579832/">registering a fingerprint</a> for an iPhone’s Touch ID, multiple readings would be needed to collect a complete initial record. Our research has confirmed that a combination of pictures like this would evoke brain wave readings that are unique to a particular person, and consistent from one login attempt to another.</p>
<p>Later, to login or gain access to a building or secure room, the person would put on the hat and watch the sequence of images. A computer system would compare their brain waves at that moment to what had been stored initially – and either grant access or deny it, depending on the results. It would take about five seconds, not much longer than entering a password or typing a PIN into a number keypad.</p>
<h2>After a hack</h2>
<p>Brain passwords’ real advantage comes into play after the almost inevitable hack of a login database. If a hacker breaks into the system storing the biometric templates or uses electronics to counterfeit a person’s brain signals, that information is no longer useful for security. A person can’t change their face or their fingerprints – but they can change their brain password.</p>
<p>It’s easy enough to authenticate a person’s identity another way, and have them set a new password by looking at three new images – maybe this time with a photo of a dog, a drawing of George Washington and a Gandhi quote. Because they’re different images from the initial password, the brainwave patterns would be different too. Our research has found that the new brain password would be <a href="https://doi.org/10.1016/j.patrec.2017.05.031">very hard for attackers to figure out</a>, even if they tried to use the old brainwave readings as an aid.</p>
<p>Brain passwords are endlessly resettable, because there are so many possible photos and a vast array of combinations that can be made from those images. There’s no way to run out of these biometric-enhanced security measures.</p>
<h2>Secure – and safe</h2>
<p>As researchers, we are aware that it could be worrying or even creepy for an employer or internet service to use authentication that reads people’s brain activity. Part of our research involved figuring out how to take only the minimum amount of readings to ensure reliable results – and proper security – without needing so many measurements that a person might feel violated or concerned that a computer was trying to read their mind.</p>
<p>We initially tried using 32 sensors all over a person’s head, and found the results were reliable. Then we progressively reduced the number of sensors to see how many were really needed – and found that we could get clear and secure results with just three properly located sensors.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=598&fit=crop&dpr=1 600w, https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=598&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=598&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=751&fit=crop&dpr=1 754w, https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=751&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/241247/original/file-20181018-67167-12xh32s.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=751&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Three electrodes high on the back of a user’s head are enough to detect a brain password.</span>
<span class="attribution"><span class="source">Wenyao Xu et al.</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>This means our sensor device is so small that it can fit invisibly inside a hat or a virtual-reality headset. That opens the door for many potential uses. A person wearing smart headwear, for example, could easily unlock doors or computers with brain passwords. Our method could also make cars harder to steal – before starting up, the driver would have to put on a hat and look at a few images displayed on a dashboard screen.</p>
<p>Other avenues are opening as new technologies emerge. The Chinese e-commerce giant Alibaba recently unveiled a system for <a href="https://news.vice.com/en_us/article/ev5gmw/alibaba-vr-shopping-buy-singles-day">using virtual reality to shop</a> for items – including making purchases online right in the VR environment. If the payment information is stored in the VR headset, anyone who
uses it, or steals it, will be able to buy anything that’s available. A headset that reads its user’s brainwaves would make purchases, logins or physical access to sensitive areas much more secure.</p><img src="https://counter.theconversation.com/content/98691/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Wenyao Xu receives funding from the National Science Foundation. </span></em></p><p class="fine-print"><em><span>Zhanpeng Jin receives funding from the National Science Foundation. </span></em></p><p class="fine-print"><em><span>Feng Lin does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Biometrics are more secure than passwords – but when they’re compromised fingerprints and retina scans are hard to reset. Brain responses to specific stimuli are as secure and, crucially, resettable.Wenyao Xu, Assistant Professor of Computer Science and Engineering, University at BuffaloFeng Lin, Assistant Professor of Computer Science and Engineering, University of Colorado DenverZhanpeng Jin, Associate Professor of Computer Science and Engineering, University at BuffaloLicensed as Creative Commons – attribution, no derivatives.