Hacker Hell
Quick, what is the password for your wi-fi router? If you know the answer, you are either working for your carrier or you are using the same password for the router as you are for other applications. If the later is the case, don’t feel bad, as a recent survey by Specops Software (pvt) indicated that 29.03% of respondents use the same password for every application and 34.4% only change their password when they forget the old one, while the average person in 2020 was managing ~100 passwords. Passwords are obviously a pain, but remain, at least, the frontline of defense against hackers who are trolling for information or looking to steal assets outright.
Simple password entry has given way to 2-step authentication, where when you try to log into an application or account, you are required to enter an ID and a security code that is sent to you, usually on a mobile device. Once that code is entered on the application you must still enter your password to gain access. This prevents hackers who have stolen your password from access your data without a secondary device to confirm identity, but you still have to remember the password for each application There are password managers that help with managing a multitude of passwords by using a master password that gives access to the password manager, or you can do what many others do, jot them down on pieces of paper or in a ‘secret list’ that no one should be able to find. Of course, pieces of paper are easily lost and a paper list of passwords is an accident waiting to happen, so many keep such lists on devices, in the hope that no one will recognize what they are.
The good news is that steps are being taken to simplify the authentication process in ways that will free you from the burden of remembering, changing, and keeping track of passwords for all of your devices with what is called a passkey. Google (GOOG) has implemented passkey use when logging into your Google account, also letting you still use passwords, and as of May 3, you can use passkeys to log into Google websites. Apple, Microsoft (MSFT), PayPal (PYPL), eBay (EBAY), and a long list of others are developing or implementing passkey authentication for their applications, with Apple having already built it into the latest version of IoS, so . By using passkeys you no longer have to remember strings of numbers and characters (Is it a capital V or a small v?) or your 4th child’s birthday, but you do need to have your phone, tablet, or computer nearby, as the passkey system needs to communicate with your device in order to verify your identity.
Passkeys use public-key cryptography to authenticate your access to websites when you register on a site. At that time the system generates a public and private key, with the public key being stored on the site’s web server as it has no value to a hacker by itself. The private key remains on your device and when you try to log in to an application it sends a ‘challenge’ to your device. As the public and private keys have a mathematical relationship, the private key completes the challenge and ‘signs’ a response to the server, identifying you, and the server retains only the public key and still does not know your private key, even though you have been identified. Your device, however, also checks, via master password, fingerprint, or biometrics, that you are the correct person that the private key will identify, as a safeguard in case your device is lost or stolen. At no time is any sensitive data exchanged between your device and the server, as does when using standard passwords, making passkeys more secure.
Hackers cannot guess a passkey, or can you accidentally reuse a passkey on another site, and because they are unique to each site, tricks that send you to look-alike sites to collect your password will not work. That said, because they are unique to each site, you need to set them up each time you open a new account or join a new site, and as the private key still resides on your personal device, care must be taken not to lose the device, although if that were to happen, a hacker would need to know your master password, or find some way to beat your biometrics, which certainly lowers your risk against a hacker figuring out that you only change two numbers in your password across all of your applications.
It will be a while before passkeys become ubiquitous, but with a number of the largest CE companies taking steps to implement the concept across multiple applications, the momentum will build, and standards organizations, such as the FIDO (Fast Identity Online) alliance, are working to set standards that will hopefully make it unnecessary for iOS users and Android users to have different passkeys for the same application. At that point you would be able to throw away your secret lists and scraps of paper and no longer worry that you haven’t changed your WEP key password in 5 years, letting your next-doors entire family piggyback on your Wi-Fi.
Simple password entry has given way to 2-step authentication, where when you try to log into an application or account, you are required to enter an ID and a security code that is sent to you, usually on a mobile device. Once that code is entered on the application you must still enter your password to gain access. This prevents hackers who have stolen your password from access your data without a secondary device to confirm identity, but you still have to remember the password for each application There are password managers that help with managing a multitude of passwords by using a master password that gives access to the password manager, or you can do what many others do, jot them down on pieces of paper or in a ‘secret list’ that no one should be able to find. Of course, pieces of paper are easily lost and a paper list of passwords is an accident waiting to happen, so many keep such lists on devices, in the hope that no one will recognize what they are.
The good news is that steps are being taken to simplify the authentication process in ways that will free you from the burden of remembering, changing, and keeping track of passwords for all of your devices with what is called a passkey. Google (GOOG) has implemented passkey use when logging into your Google account, also letting you still use passwords, and as of May 3, you can use passkeys to log into Google websites. Apple, Microsoft (MSFT), PayPal (PYPL), eBay (EBAY), and a long list of others are developing or implementing passkey authentication for their applications, with Apple having already built it into the latest version of IoS, so . By using passkeys you no longer have to remember strings of numbers and characters (Is it a capital V or a small v?) or your 4th child’s birthday, but you do need to have your phone, tablet, or computer nearby, as the passkey system needs to communicate with your device in order to verify your identity.
Passkeys use public-key cryptography to authenticate your access to websites when you register on a site. At that time the system generates a public and private key, with the public key being stored on the site’s web server as it has no value to a hacker by itself. The private key remains on your device and when you try to log in to an application it sends a ‘challenge’ to your device. As the public and private keys have a mathematical relationship, the private key completes the challenge and ‘signs’ a response to the server, identifying you, and the server retains only the public key and still does not know your private key, even though you have been identified. Your device, however, also checks, via master password, fingerprint, or biometrics, that you are the correct person that the private key will identify, as a safeguard in case your device is lost or stolen. At no time is any sensitive data exchanged between your device and the server, as does when using standard passwords, making passkeys more secure.
Hackers cannot guess a passkey, or can you accidentally reuse a passkey on another site, and because they are unique to each site, tricks that send you to look-alike sites to collect your password will not work. That said, because they are unique to each site, you need to set them up each time you open a new account or join a new site, and as the private key still resides on your personal device, care must be taken not to lose the device, although if that were to happen, a hacker would need to know your master password, or find some way to beat your biometrics, which certainly lowers your risk against a hacker figuring out that you only change two numbers in your password across all of your applications.
It will be a while before passkeys become ubiquitous, but with a number of the largest CE companies taking steps to implement the concept across multiple applications, the momentum will build, and standards organizations, such as the FIDO (Fast Identity Online) alliance, are working to set standards that will hopefully make it unnecessary for iOS users and Android users to have different passkeys for the same application. At that point you would be able to throw away your secret lists and scraps of paper and no longer worry that you haven’t changed your WEP key password in 5 years, letting your next-doors entire family piggyback on your Wi-Fi.
RSS Feed