Exit the password?
Just when all our accounting data is going online, experts say password security is in trouble. Passwords are just too vulnerable to hackers – and people are too careless.
Fernando Corbató, now 87, is sometimes called ‘the man who invented the computer password’, having deployed them at the Massachusetts Institute of Technology (MIT) in the early 1960s.
Interviewed this year by The Wall Street Journal, he called passwords “a kind of nightmare”, because no one can possibly remember all the passwords you now need (he has around 150, written on three sheets of paper). He intended them only as protection against casual snooping, he says, not as industrial-strength security.
Password security problems started right after Corbató's invention; he says an MIT colleague soon broke his system for a prank. In 2014's world of internet-based systems, password security is a business hazard – and nowhere more than in accounting. The profession is in the process of putting everyone's business and financial information into password protected online accounts. Anyone who can steal the passwords has access to a huge trove of data.
Michael McKinnon, security adviser with AVG, warns that “the password is only as good as the people using them”. The major problem arises, he notes, when people reuse passwords or license one social network as a gateway to other services.
And many people reuse their passwords across sites. Your password may be “1%aGt°95/PhoS’ rather than 1234", but if you use that same password everywhere, then the discovery of that password provides a hacker with an open door.
Online accounting providers acknowledge the password issue. Xero's security officer Kirk Jackson says that one of the two most common types of security incidents the company and its users have faced involved a compromise of some part of the user's online life.
Official figures tell the same story, as Attorney General Senator George Brandis outlined in a speech in May this year. Brandis cited Australian Institute of Criminology figures showing that 9.4 per cent of Australians had suffered from identity theft or identity misuse over the past year, and 5 per cent had suffered from financial loss as a result. While the average financial cost was $4,000 per incident, the cost of individual incidents ranged from $1 to $300,000, and it could take more than 200 hours to achieve some form of solution.
As our online life blooms, so does our collection of logins and passwords, and the temptation grows to use the same passwords for multiple services. Brandis said Australians typically have between five and 50 log ins and password combinations to deal with.
Every few weeks, a new issue underlines our password problems. In May 2014, eBay revealed the theft of a database, with email addresses and passwords of 145 million of its users.
Only weeks before this revelation came the news of the 'Heartbleed' bug in the OpenSSL security layer, used across the internet.
This procession of incidents has people wondering whether the days of password-secured internet access are drawing to an end. If deeply personal information, financial details and crucial business data are all going to be online, maybe it is time to replace the humble password.
But the reality is: there is no obvious replacement.
Shoring up the password
AVG's McKinnon says the fact that password-based systems can be set up cheaply and easily means they are likely to survive for years to come. And if the password is going to stick around, there are at least plenty of ideas on how to make it safer.
Using a log in and password to access a website or cloud service draws on one of three authentication factors.
An increasingly popular security improvement is ‘two-factor authentication’, which adds a second factor – something you have. When you insert your Visa card into a point-of-sale device and input the PIN, or when a bank sends an SMS to your mobile phone to allow you to complete a financial transaction, you’re using two-factor authentication. (The third factor is biometric identification – something you are – such as your fingerprint, voice, iris or facial features.)
Password generators and management applications can also help by generating and storing complex passwords for each service a user accesses. All that has to be remembered is the single password for the password management application itself.
McKinnon also argues for limiting the lifespan of passwords – forcing people to change them every two days, for example.
McKinnon notes that cloud accounting systems present challenges. In particular, they require knowledge of users' bank passwords in order to access automated bank feeds. “I believe all clouds should be offering two-factor authentication,” he says.
Boaz Fischer, managing director of security consultancy Comms Met Group, agrees twofactor authentication is “the way we should be moving”. “Most users carry their mobile with them,” he says. “It’s not foolproof, but it's more extreme to have to hack the [phone's] SIM.”
Accounting software firms have mostly avoided building two-factor authentication into their systems, but they are looking at their next steps. Says Xero's Jackson: “Xero does have plans to introduce a second factor, possibly involving a mobile device, but hasn't committed to a time frame.”
Simon Raik-Allen, chief technology officer of MYOB, explains that access to its systems is available via passwords or multifactor authentication, although biometrics has yet to be harnessed.
But while security needs to be taken seriously, he says, it much a user decision” regarding the controls they want to implement.
He cites Google Authenticator as the sort of two-factor authentication service that security conscious users might want to enable for online services. This is a smartphone app for Android or BlackBerry that can be used to generate a new secure code each time a website or cloud service is accessed, and can be used with a growing number of cloud services, such as Dropbox. (There are other authenticators available for iPhones and Windows Phones.)
Once a user has input their user ID and password, they are asked to provide the unique code produced by the authenticator. Raik-Allen says MYOB is looking at this form of additional security. “We are very happy with the security we have in place,” he says, “but the hacks are getting more sophisticated and people are getting more nervous.”
Security company RSA, which has offered authentication tokens for many years, believes that even mobile phone-based authentication might become vulnerable as hackers up the ante. It believes organisations may look to harness smartphone cameras or geo-location data to provide multifactor authentication.
Fischer warns that whichever security approaches win favour, there will always be a trade-off between security and convenience, which is why so many people persist with just a handful of passwords for multiple sites, despite the risk. He thinks three-factor authentication, which can involve deployment of quite costly and complex biometric management platforms, might prove overkill. “It’s too inconvenient.”
Pinched passwords and stolen identities, however, can make even inconvenience attractive.
Tips for staying safe
. Use a diferent password for every online service–if one password is guessed or hacked, the others remain intact.
. Make each password random and unpredictable, with no easily guessed personal information.
. Make the password long–20 characters at least.
. Don't allow browsers to store passwords.
. Don't login to secure services over public wi-fi or from internet cafés.
. Change passwords regularly.
. Consider using a password management application and generator.
Password management software requires users to remember just one quite difficult password or passphrase (preferably long with capitals and numbers). which is used to generate new random passwords and unlock an encrypted file holding website addresses and associated passwords.
Password managers include: