
'Password'; '123456'; '12345678' - the top three most-used online passwords of 2011, as revealed in lists published on the web by hackers. It may not seem like an act of community spirit to highlight poor security practice by such a reckless release of our precious digital keys, but for the fact that the very same three also came top in 2012. These hackers are, relatively speaking, the good guys - publishing the passwords to alert us to the fact that maybe our passwords should be less popular than they are, rather than using them in secret to defraud us. It's surely a wake-up call: the password seems to be reaching a crisis point. But is there anything that could replace passwords as we currently use them?
Collaborating and doing science digitally raises the same security challenges as the rest of the online world - not least because many researchers are online outside of work, just like everybody else. With many people becoming overwhelmed by the growing number of web-based services they use daily, each potentially requiring its own password, the concept of a universal web identity seems like a sensible solution. In distributed computing and in grid in particular, there has been a long-standing use of certificates identifying and authorizing users to use grid services, that can be installed across a multiplicity of a user's devices. If a machine is lost or stolen, the certificate itself can be easily cancelled.
Contrast this with the wide variety of social media identities, online banking, email, desktop cloud syncing and other web-integrated services we use. If we've followed the proper advice, we'll have different, strong passwords (comprising both upper and lowercase letters, numbers, and symbols) for each one. A user finding themself the victim of device theft or a phishing attack might have to change all of these passwords individually, testing their memory to the limit just to access each service's settings, from where they can change each password. Perhaps, in an attempt to make our lives easier, we have saved all those passwords in our web browser, where they can be easily liberated by a thief, or maybe we keep them all the same: a strong password, perhaps, but one that is easily determined by a malware-installed keylogger. (For some tips on safer password techniques, take a look at CERN Security Officer Stefan Lüders's blog post on the topic.)
The many ways that password protection can be misused and abused in order to hijack an individual's entire online identity have been demonstrated in some high profile cases, a problem sometimes exacerbated by certain web services' attitudes to sending password reset codes to a different email address provided by a fraudster over the phone.
Herein lies the issue: those services that allowed access to fraudsters believed they were helping the correct hapless and forgetful web user regain access to their files - a scenario that may be all too familiar to the average user. There is a balance to be achieved, therefore, between security on the one hand, and accessibility on the other.
Services like OpenID, which gather together our online identities, perhaps haven't had the uptake that they may have deserved. De facto universal web identities that allow the use of social media credentials (Facebook and Twitter) to access a wide variety of web services have largely taken over in this area.
Much of social media's advocacy of real online personas belonging to real people stands in contrast to the early days of the online world, where anonymity ruled, but chimes well with some developers of online services for research. Roberto Barbera of the University of Catania, Italy, is the technical coordinator of the CHAIN-REDS project, which is bringing federated access to different grid services across the globe. CHAIN-REDS, led by INFN, Italy, is one of the projects trialing access using social credentials. "With the same simple sign-on, a user could access everything from their campus network via eduroam, to the entire global grid. This is tremendously powerful," says Barbera.
Simplifying access from a new user's perspective could help open up grids and academic clouds to more researchers in the currently underrepresented life sciences and humanities research communities, but it can present new security challenges. "A profound trust-relationship, such as one provided by the International Grid Trust Federation, is the single most important ingredient for CERN before authorizing external identities issued by partner institute to access CERN computing services. " says Stefan Lüders.
Post-password, biometric ID authentication based on facial or iris recognition looks likely to play some role in how we use devices in the future. Such technologies have been in place for a number of years at national border controls, and are becoming more commonplace in mobile devices. How web freedoms can be maintained in a future where our bodies become our logins and passwords is likely to be an area of intense discussion.
Read more in 'The Security Issue' of e-ScienceBriefings, which you can download here.