Subscribe

Passwords are broken

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 18 May 2016
Christiaan Brand, product manager: identity and security at Google.
Christiaan Brand, product manager: identity and security at Google.

What is wrong with Internet security today? Passwords. They are hard to remember, hard to type, and insecure. The most popular password in 2015 was 123456. The next most popular one was 'password'.

Passwords are a remnant of the 1960s and have to go. "Why are we constantly being signed in or out, why can't we do better?"

This was the question posed by Christiaan Brand, product manager: identity and security at Google, during his keynote address at the ITWeb Security Summit 2016 this week at Vodacom World in Midrand.

"Passwords are being stolen through phishing, keylogging and network interception. They are still the number one reason for security incidents. More than two-thirds of incidents last year involved phishing, wth a 23% effectiveness rate according to a Verizon report last year."

He says there are way too many disparate solutions out there, they don't work together and they don't solve the problem. "One in every four phishing Web sites actually trick users into revealing their passwords."

What Google is doing

"Google's 2-Step Verification and Security Keys add an additional layer of security, beyond the password, to the Google account. It's like a second padlock on your account's door."

Speaking about the evolution of 2-SV (2 Step Verification), he says Google uses something called Security Keys which is based on a FIDO standard. FIDO or 'Fast IDentity Online' alliance is an industry group formed in 2013 to address the lack of interoperability among strong authentication devices and the issues faced by users in terms of creating and having to remember multiple usernames and passwords.

"With Security Key, there's no looking at codes and re-typing - users simply insert their Security Key into the computer's USB port (or use it over NFC or Bluetooth) when asked. Security Keys give better protection against phishing, and no mobile phone or cellphone signal is required."

Next, he cites Safe Browsing, which gives users on Google and across the Web the information they need to steer clear of danger. "Any dangerous sites detected by Safe Browsing generally fall into one of two categories: sites that attack users intentionally with either malware, phishing, or unwanted software that is deceptive or hard to uninstall, or sites that attack users unintentionally because they have been compromised, often without the site's owner realising this has happened."

Once Google detects these sites, Safe Browsing warns users about them in a variety of ways. "Today, Safe Browsing shows people more than five million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50 000 malware sites and more than 90 000 phishing sites each month."

Google also has a tool called Security Checkup, which is essentially an easy way for users to protect themselves by reviewing and managing their Google Account's security settings. The Checkup reviews recovery information, recent activity and account permissions."

Share