Mobile devices make it easy to hack passwords

c: | f: /

If you use your mobile phone or tablet for any kind of Internet application that requires authentication — Facebook, Twitter or online banking, for example — you’re setting yourself up to get hacked.

The unending march of the mobile device toward ubiquity is a rather astounding technological leap. Having the Internet in your pocket seems such a great idea on the surface, until you start to think about the design corners that have to be cut in order to make the interface simple enough to use.

Anyone who’s ever tried to code on a touch-based keyboard knows what a pain it is: almost every line of code requires a symbol like a dollar or semicolon or a square bracket, which are all on the second or third ‘pages’ on the virtual keyboard. This same design limitation may well undermine your choice of password.

Let’s say you use Facebook a lot on your mobile. You could employ a brilliant password and get the device to store it for you. But if something happens to your phone (e.g. it’s stolen, or you need to factory reset it, or a browser upgrade / crash destroys the file in which the password is stored) then you probably won’t be able to remember it.

If, on the other hand, you don’t get the device to store it on your behalf, then you need to type it every time, and the virtual keyboard makes it very awkward to do so.

When faced with this choice, one way out is to stick with a fully alphabetic password (or at least a mostly-alphabetic one, with symbols chosen from the primary page of the keyboard) because it’s quicker to enter on the mobile’s sucky keyboard. Using such a password is therefore, by design, simpler to crack unless you choose a long one of 25-characters plus. Incidentally, users of services such as Hotmail / Live / Outlook / Whatever-it’s-called-now can’t employ long passwords because Microsoft stupidly enforce an upper length limit. *slow hand clap*

Worse than using a short password, you might be tempted to reuse the password in more than one place. If you used the same password for your email system as your Kickstarter account, for example, then your email is now likely being read by someone else thanks to the bungling exposure of sensitive data during Kickstarter’s recent hack. Same goes for Adobe, btw, who were hacked late 2013 resulting in an alarming number of passwords being leaked, nearly two million of which were 123456. Yes, two million people really are that stupid.

2FA? More like sweet-FA

The second – and more worrying – problem with mobiles is the uptake of companies offering two-factor authentication as a means of securing your account. Hardly a week goes by without one of my email providers or bank “reminding me” at login that I must divulge my mobile phone number to them in the interest of security. I have several problems with that.

Firstly, it’s somewhere else my number is stored. I like to minimise my attack surface by never giving the number out to any companies unless I have a dire, overarching need for them to know it.

Secondly, the very idea that two-factor authentication (2FA) is more secure than single-factor authentication is flawed in today’s world. 2FA is the process of you supplying two methods of communication to a company; usually an email address and a mobile number. The idea is that you register with Facebook, for example, they send you a challenge / code to your email address which you click to verify you own the account. It then asks for your mobile number, sends you a text message with a code in it which you then supply when you first log in to Facebook to prove you also own the mobile. Thus, according to Facebook, you are who you say you are and if you ever lose your account password they have two channels of communication that they can use to authenticate you and aid the recovery of your precious WhineLine of posts.

Except they don’t have two channels, because you use the same damn device to read your emails as you do to retrieve your text messages and phone calls. So you register using your mobile, click the link in your mobile, give your mobile number, receive the message and browse to the login page all from the same piece of hardware.

So, I ask you, how is this any more secure than single factor authentication? If your phone is stolen, once the attacker bypasses the laughably limited ‘phone lock’ code or pattern, they have access to your email and text messages and can login to your account using the code sent out by Facebook to the mobile during the password reset procedure.

Remember those huge nuclear launch consoles where two people need to turn their keys at either end of the console at the same time to activate the strike? Imagine the keys are stolen by Mr. Tickle. That’s how good 2FA is under this circumstance. And that’s before we even consider the leaky sieve of sending data over GSM where information can be snatched from the airwaves in transit with comparative ease. Or that you can set up a forwarder on a mobile phone account by calling up customer services and impersonating the real owner using data readily available from social media. Then put the phone down and request a password reset so your forwarding number receives the one-time code.

So before you use your mobile to access your favourite must-have app, think long and hard about the method(s) of security you are asked to supply and at what level you choose to secure the information. And don’t trust any company who claim your details are safe or are stored in line with “industry best practices”. They’re either outright lying or don’t understand the risks.

4 goats jibber-jabbered

    kidsysco

    Your understanding of 2 factor auth is not complete. You re looking at it from the convenience standpoint of being able to contact you through multiple means. That is not what 2FA is about in any way. 2FA is more secure because it involves both something you have, and something you know.

    You cannot gain access with only 1 of the 2, it requires something you have (1. the phone) and something you know (2. the password).

    This has been widely considered to be more secure ever since the ATM cash machine started out requiring 2FA. It too requires 2 forms of ID, something you have (1. the ATM bank card) and something you know (2. the PIN Number).

    This is why banks do it. This is why everyone does it. The only thing more secure would be to add a third, for 3FA, of something you are.

    1. Something you have, a card or phone.
    2. something you know, a password.
    3. something you are, a retina or fingerprint scan.

    Stef Dawson

    @kidsysco: Thanks for your comment. While this post only skimmed the surface of 2FA (and yes, you’re correct, more from a convenience standpoint), please see my more recent follow-up on 2FA which deals with the something you know/something you own problem in the mobile world.

    Rick

    2fa is good security for the reasons the other poster mentioned.

    Proper 2fa requires the use of an RSA key app that runs on your phone. rather than sending a text the challenge comes in the form of a six digit RSA key that changes every 60 seconds. Can this technology be beat? maybe. Does the NSA/CIA want my info? If they do, all the security in the world won’t help.

    The best security for the perpetually paranoid is to not use any technology, credit cards, hospitals that require ID, etc., etc.

    Stef Dawson

    @Rick. 2FA is better security than none at all, but it’s no more secure than a single factor if you don’t use passwords correctly. Anyone who does any of the following will NOT benefit from regular 2FA:

    1. Uses a crap phone lock code and unlocks their device in the open (i.e. without shielding the display first).
    2. Allows their device to auto-log them in to any service.
    3. Uses an easily-guessable passphrase.
    4. Uses the same passprase on multiple accounts.
    5. Daisy-chains regular accounts together (using one as the recovery mechanism for another).
    6. Uses a regular email account as a recovery address. You should use a non-identifiable email account as backup.
    7. Answers truthfully to ‘secondary questions’ like first car, mother’s maiden name, dog’s name, etc.
    8. Posts personal details on social media or the internet.

    An authenticator app is way better than SMS, and I agree that a dedicated token-based hardware system is even better still (as long as the algorithm that generates the keys isn’t compromised, as you imply).

    My point in this article is that 2FA in and of itself is not this “magic” thing that makes everything more secure. At its best, it improves things a few percentage points, but that can be easily undermined by lowering your guard with regards other mechanisms due to the false sense of security companies provide by lauding it as “the ultimate security solution”. It’s not.

    The mobile on-screen keyboard is just not up to the job of making good passwords viable because of the stupid rules enforced by corporations (e.g. must include at least one capital letter, one symbol, one number, etc).

    The sooner we can abolish this practice and remove enforced length limits so my password for, say, an online Linux service can be something like penguin.keyboard.archbishop.walnut – something memorable that I can type very fast on a mobile keyboard and provides significantly more entropy than a ten-character password with symbols – the better.

When fingers meet keyboard

(required)

(required, never made visible)

(optional, linked with rel="nofollow")

(required)