Summary

Passwords are evil: they are either easy to guess or the password recovery service allows the hacker easy access, as was shown by the Twitter "security breach" and the break-in into Sarah Palin's yahoo email address. But there are companies out there solving this problem, one of them is a stealth start-up called FortKnock.

Analysis

This so-called Twitter security breach didn't have anything to do with the security of Twitter. Here is (supposedly) what happened. A hacker got the yahoo email address from one of Twitter's employees, managed to get the password, logged in and through reading some emails was able to get into the employee's Google account where he found a bunch of Twitter confidential information.

So why was it so easy to break into the yahoo email account? Well, Yahoo (like most other web portals) has a way to retrieve your password. You simply answer a few questions (like mother's maiden name) and you will again have access to your account. This is how the Twitter hacker got in and this is also how Sarah Palin's Yahoo email account was hacked. And why does Yahoo offer this service? Well a lot of people forget their password and this is the only way that most portals know how to solve this problem.

In order to make them easy to remember people will use simple, short passwords and they will make all their passwords the same. And if they make difficult to guess passwords then they will forget them and the portal will have to provide a password recovery service like Yahoo does. The end result, as we can see from the Twitter and Palin examples is a hacker's delight. So passwords are evil! But can we really do without?

A company called Fortknock which is still in stealth mode is promising a totally secure online experience without the need for passwords. When you login instead of being asked for username and password you are presented with four multiple choice questions about your likes and dislikes. For example "who is your most favourite singer", or "which type of food do you dislike the most". Answers to questions like these are not easy to guess by others and to make it even more difficult for the potential hacker the wrong choices are  answers that other people who are very similar to you have given to the same question.

So if for example the hacker has figured out that you are from the Netherlands they might assume that your favorite singer is someone from the Netherlands. But because FortKnock will take the answers from other people who are also from the Netherlands and present them as the wrong choices, the hacker will be presented with 10 popular Dutch singers to choose from.  There is a lot of statistical mathematics behind this seemingly simple authentication scheme, that shows that a system like this is just as secure as an 80 digit password that changes every time you login. (Imagine the trouble of trying to remember an 80 digit password ;-) On the user side this is as simple as it can get, you of course can   remember your likes and dislikes unlike all those pesky passwords that must or must not start with a number, contain or not contain upper case letters etc. etc.

For more on Technology Trends like this please see my blog.

Hans van Rietschote consults with leading institutions through GLG

Hans van Rietschote, Former Technical Advisor

What is a GLG Leader?|GLG Leaders are a separate tier of Council Members with a Council Rank in the top 5%. These GLG Member Program participants are eligible for ongoing, in-depth consultative relationships with GLG clients.

Former Technical Advisor, QLAYER BVBA

 
Analyses are solely the work of the authors and have not been edited or endorsed by GLG.