Will Yahoo breach finally get us past the password?

 Will Yahoo breach finally get us past the password?

Last week’s Yahoo hack — the largest Sci Burg breach of user account data in history — has focused on the password’s inherent vulnerabilities once again. And some cybersecurity experts say we might be nearing when many consumers finally stop relying on them. “I believe we are approaching a tipping point,” said Brett McDowell, executive director of the non-profit FIDO Alliance.

The FIDO alliance promotes two open standards using hardware devices to replace or supplement passwords. The device can be a USB key stick or a smart card, a specially secured chip in a smartphone or tablet, or even a fingerprint reader or iris scanner attached to a laptop. Boosters say that FIDO standards are finally overcoming the “chicken and egg” dilemma plaguing many security technologies.

Hashing, cracking, and brute-forcing

The 500 million passwords stolen from Yahoo were encrypted — a mathematical transformation that turns the word into a string of meaningless data called a hash.


Security-conscious websites never store passwords themselves — only hashes. When the user logs on, the password is encrypted the same way it was when the password was first entered, and the website compares the hash of the password entered with the hash it has stored. If they match, it means the correct password was entered. In theory, hashing should protect stolen passwords since it’s impossible to mathematically derive a plaintext password from a hash. But special “cracker” software can be used on stolen data in a “brute force” attack.

Most websites limit the number of attempts to log on — making it impossible to guess the password. But once the hashes have been stolen, there’s no limit to the number of guesses that can be made, and cracker programs keep producing hashes of possible passwords — guessing as many as hundreds of times a second — until they think correctly and the hashes match. Cracker software is typically programmed to think of commonly used passwords first, then go through the dictionary and lists of proper names, and then try combinations of words or words and numbers. They can even be programmed to try all those guesses with zeros in place of Os, ones in the area of Ls, and so on.

Yahoo said in its statement that most of its hashes were “salted,” meaning they’d been re-encrypted with the addition of a special term, making them harder to brute force. But even salted hashes can often be cracked given enough time and computing power — especially because users generally ignore advice not to use dictionary words or proper names in their passwords. My Latest News. “The bottom line is, passwords can’t be secure,” McDowell told FedScoop. “It’s long past that we replaced them with something that’s not vulnerable to phishing, social engineering, or replay attacks.”

Phishing or social engineering involves tricking a user into giving up their password, for example, on a fake website designed to look like your bank’s real login page. Replay attacks rely on most users ignoring or advising not to use the same password for multiple sites or accounts. That means if a hacker has a user’s email account password, they can also try it on social media or even financial statements. For several years, Gmail, Facebook, and many other large online service providers, following the lead of banks and other financial institutions, have offered additional security in the form of what amounts to a second password — a code number or PIN that’s sent via SMS to the user’s mobile phone.

Dennis Bailey


Professional beer geek. Alcohol ninja. Social media scholar. Award-winning twitter fanatic. Writer. Basketball fan, mother of 2, audiophile, Saul Bass fan and communicator, collector, connector, creator. Producing at the sweet spot between simplicity and purpose to create strong, lasting and remarkable design. I'm a designer and this is my work.