The challenge for web apps is how to extend security beyond a user’s browser. Even though the aforementioned sites didn’t suffer a direct password breach, several million passwords related to accounts on those sites were compromised. And the most likely culprit is malware on a victim’s system.
By using two-factor authentication, sites reduce the value of a stolen password because an attacker would also need access to the “second factor” in order to successfully access the victim’s account. The second factor is typically a mobile device that provides a temporal password via text message or dedicated app. Not only might people take more care in protecting their phone than their password, it’s harder to compromise phones on the same scale as the millions of passwords taken from this year’s Adobe breach.
Below are my top five predictions for password security in 2014:
1. Two-factor authentication will continue to gain momentum. We will also see the rise of smart crypto-engineering for multi-authentication passwords (Twitter is an excellent example). In spite of two-factor authentication, many web apps have APIs for legacy and third-party apps that require static passwords. Attackers will continue to probe APIs for weaknesses. And if a site neglects to use HTTPS, an attacker can always sniff cookies from Wi-Fi networks.
2. Expect to see improvements to password recovery mechanisms. Sites will de-emphasize security questions in favor of using mobile devices and mobile apps to recover accounts. However, losing a device can mean losing your account if a site’s password recovery mechanism isn’t flexible enough to work without it. And sites that email a user’s original plaintext password need to be shamed into using a more secure mechanism.
3. Database breaches will continue to expose millions of passwords. It would be nice to see sites follow Facebook’s lead whereby they proactively warn or freeze user accounts whose credentials were exposed by such a breach. This would minimize the amount of time an exposed password remains valuable and remind users they should use a unique password for their email account and different passwords for other accounts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.