users

People hate having to manage passwords, and they know they are not secure.  The current guidance given to users is to use long, complex passwords.  However most people don't realize how insecure passwords have become.

As the diagram below describes, hackers no longer need to try lots of password combinations to get your password.  They don't even need to use phishing attacks.  Instead, they break directly into websites and make a copy of the site's email and password list, or wait for users to sign in and capture their passwords at that time.  These attacks are focused on medium popularity websites whose security is not as strong as banks, or as strong as large websites like Microsoft, Google, Paypal, etc who have advanced security mechanisms.  Once the hackers have these emails and passwords, they then use them to log into other websites and hijack user accounts.  Almost everyone reuses the same password across multiple websites, so a stolen password can normally be used on many other sites.  The news media has reported many of the larger instances of this happening, but in most cases the sites do not even realize they have been compromised.


If your password is stolen, and you use the same password on a social network or webmail account, then it can get even worse.  The hackers can frequently hijack that account as well, and if they do it won't just impact you, it is likely to impact your friends.  Hackers have become much more sophisticated in how to make money.  They still use hijacked accounts to send spam, especially to the people in your address book.  However now they send fake messages to your friends where they pretend to be you and say things like "Help!  I got mugged while travelling and I can't get home.  Can you wire money to me at this address?"  That is why many of these webmail and social networks sites now tell users to "use a unique password for all your important accounts."

Basically, with passwords the security of user accounts on the Internet is only as good as the websites with the worse security.  And of course, there are lots of them with very bad security.  Fortunately, there is growing adoption by websites of another technique that is both easier for end-users, and more secure.  Instead of websites using passwords or having to build incredibly complex security systems, they can allow users to sign in with an account from an identity provider.  These sites are called "relying parties."  You may have already encountered a relying party site where you sign in by clicking the logo of another company, or by choosing the picture of an account you have at such a provider.  When a user signs into a website this way, the site does not have a password for the user, so even if the site is attacked, it does not have any passwords to leak.

The hackers can still try to attack the identity providers, but they use advanced security mechanisms like online banks.  Many of them even add a second layer of security that you will encounter whenever you try to sign in from a new device.  They will not just ask for your password, but they will ask you to provide other information about your account, or even send a code to your phone.  That extra layer of security helps protect you against phishing attacks.

If you are very sophisticated and use different complex passwords at every website, then you might not need to use an identity provider.  However, if you do, not only is it more secure and easier to sign-in, but some websites can integrate with the information you already have at your identity provider, or other services, to provide a better experience on the site.  For example, an online t-shirt store might let you select a picture from your online photo service to print on the t-shirt.  Or an online game might like you find your friends who already use the game.


So the next time you see a website that asks for passwords, ask yourself whether you think they have bank level security.  If not, ask them why they don't offer the option for you to use an identity provider.


Comments