As safe as ATMs
Bank ATMs embody decades-old technology. A four-digit PIN? What a seemingly crude security system. Where are the uppercase and lowercase letters and the random punctuation that we are continually told are crucial to hacker-resistant passwords?
In fact, though, the four-digit numbers required to use cash machines are one element of an extremely strong security model that most of today’s websites fall well short of matching.
Think about it: An ATM requires the presentation of both a physical card and a correct PIN. Websites can and should follow this general principle of requiring two dissimilar things before access is granted.
After supplying the password, that second thing could be a code that arrives as a text message on one’s phone. A thief would find that stealing your password for a website was useless without also having your phone in hand.
The technical term for requiring something you know and something you have when trying to log into an online account is “two-factor authentication.” It’s also known as two-step verification.
If this system, using passwords and smartphones, were used on all limited-access websites, the passwords wouldn’t have to be long and complex. But many Web users have easy-to-guess passwords in just one-step verification, which is highly imprudent.
Nick Berry, president of DataGenetics, a consulting firm in Seattle, has analysed the large password databases that hackers who have broken into various websites have publicly released.
Among 30.3 million passwords he has found 3.4 million consisting of nothing but four digits. (It’s astounding that there are still websites that permit these. I always encounter password requirements that force me to choose ever longer, more complex strings of characters, numbers and punctuation marks.)
Some four-digit passwords are far more popular than others: “1234” alone accounts for almost 11 percent of these passwords; “1111,” an additional 6 percent. Repetitive patterns occupy many of the other spots among the 20 most frequent numbers. Lower on the list are numbers that are likely to be a year of birth or the four-digit rendering of the month and day of a birthday.
We can speculate that some of the four-digit passwords found in websites’ databases were first conceived as PINs for ATMs. They may also be serving as the users’ PINs for unlocking smartphones. Berry says he also saw a number of instances of what he calls “finger walking” on a keypad, in which the sequence comes from a geometric pattern, like “2580” – moving from top to bottom in the keypad’s center.
The bank customer who chooses the year of her birth as her cash-machine PIN isn’t putting her savings in great jeopardy. The thief who picks up a lost wallet with an ATM card in it would have to guess the PIN correctly in just the first few tries, or the system would shut down the account. Even if successful, the thief would be limited by the ceiling on daily ATM withdrawals. And, in cases of theft, the customer would be made whole by the bank for the loss.
When that short PIN is used as a password on the Web, however, without a second form of verification, it is just about the worst possible choice, almost as bad as choosing “password” as one’s password.
“Using an ATM PIN in the context of the online world is unwise,” says Marty Jost, a product marketing manager at Symantec, the computer security company. “Using an easy-to-remember PIN is even more unwise because it’s easy to guess.”
Jost says websites should use multiple layers of security so that “the password is not the only authentication mechanism.”
Users of Gmail and other Google services, for example, can elect to have a two-step verification system to protect their accounts. When the system is activated, the user fills in the boxes for user name and password, as usual, but then is sent to another page where a verification code must be typed in.
Users may choose to have this arrive as a text message, or they can obtain it by using an app on their smartphone. There’s a backup method, too, in case their smartphone is lost or stolen.
PayPal and Dropbox also offer their users the option of requiring two-step verification for added peace of mind. Many corporate networks have long used this security model, too.
Yes, it’s a bit cumbersome. Jeff Atwood, a software developer, author, and co-founder of the programming question-and-answer site Stack Overflow, acknowledged this when he urged readers of his blog in April to use Gmail’s two-step verification option.
But, he wrote, this process “is inconvenient in the same way that bank vaults and door locks are. The upside is that once you enable this, your email becomes extremely secure.”
That feeling of security originates not with a long master password, which may fall into the hands of a bad actor, but with the elegantly simple two-step verification. The designers of ATMs were on to something.
Two-step verification for Gmail or other Web services can’t work for us, however, unless we set it up. And there’s no better time than the present to do so.
“Not tomorrow. Not next week,” Atwood wrote. Now.