The future of passwords: how sharing with your friends can beef up your security and reduce websites’ data breach risks

future of passwordsIf you have online accounts, you’re going to start seeing a lot of two new technologies that help keep your personal data secure and private online. One calls upon your friends to prove that you’re you if you need to recover a forgotten password. The other lets you create and use a password on a website without that site knowing your password: you lock up your data on their site so securely that even they can’t access it. In geek speak, they’re called 2-factor authentication via friends and host-proof hosting, respectively. Here’s what you need to know about them. 

Part I: Sharing with your friends can protect your passwords

Facebook has come out with Trusted Contacts to make it easier to safely recover passwords. The idea behind Trusted Contacts is that you have friends who can help you recover your passwords if you forget them. If you opt into Trusted Contacts, Facebook asks you to enter at least 3 friends you trust. If you later forget your password, you start the password recovery process on Facebook, then contact some of these friends (most likely over the phone), and they each supply you with a separate validation code.  Enter 3 correct codes and you unlock your password. It’s sort of like the “phone-a-friend” option on “Who Wants to be a Millionaire,” but Facebook compares it to giving out spare keys to your house to your close friends.

Facebook trusted contacts 1

You might wonder, “Why wouldn’t I just click the ‘forgot password’ link and get my password sent to my email address?” Well, sites that have lots of personal information are the frequent target of hackers, impersonators, and other types of fraud. It’s not hard for a stranger to have your forgotten password sent to him instead of you. Your email account could be hacked, your phone stolen, and the security questions on your account could be easily answered by spending a few dollars at a public records website that sells data that doubles as common security questions, like your mother’s maiden name or the name of your first school.

Using multiple real friends to unlock a forgotten password appears to solve many of the security problems that can leave you open to being hacked during password recovery.  It’s a fundamentally more secure way to validate your identity and to recover an important forgotten password.  Facebook has had its share of privacy blunders in the past, but Trusted Contacts actually allows for better data privacy protection. You might also worry that enabling Trusted Contacts reveals your closest friends to Facebook. Trust us: Facebook already knows that by how often you communicate with those people, post on their walls, view their pages, tag photos of yourself with them, etc. You aren’t telling Facebook anything it doesn’t already know.

Facebook trusted contacts

To enable Trusted Contacts in Facebook, go to your Privacy Settings, then Security, and then click “Edit” next to Trusted Contacts. You’ll need to select at least 3 Facebook friends, and although Facebook automatically notifies whoever you choose, we recommend giving them the heads-up yourself.

Part II: Sites can let you create passwords that they’ll never know

password in a safeMore and more online services don’t want to store and manage your passwords because they don’t want to deal with issues like hackers, lawsuits, data breaches, internal investigations, and customer support, and there’s an emerging solution for them.

Websites can encrypt and store your password in a way that denies them access to it, called host-proof hosting.  Although you can use your password normally to log in to the site, not even the developers and IT administrators can access your password.  Don’t get confused by the word “encryption” (most passwords are encrypted): this is a special form of one-way encryption where the site can recognize that your password is unique and correct, but is never able to actually know what your password is.

This kind of protection keeps you and your data much more secure, which is great, but you’re still screwed if you forget that password because the site admins can’t get it for you. Ironically, this can lead people to reuse passwords at these sites for fear of forgetting them. That aside, host-proof hosting is sort of a win-win: users benefit from the privacy of being the only ones who know their passwords, and websites benefit from not having to manage huge databases of personal info that are vulnerable to breaches. We’re using it ourselves in an upcoming privacy tool.

The most secure option for the future might be a combination of these two technologies

If you put these two technologies together—2-factor authentication via friends and host-proof hosting—you get something that can work pretty well to protect the privacy of your most vital and private online information yet still allows you to recover your password in an emergency.  Here’s a summary of how it might work:

  1. You make a password on a site
  2. You identify a set of friends who can unlock your password if you forget it
  3. The site encrypts your password and your data in a such a way that even the site itself cannot access it
  4. Your friends get special snippets, called keys, of the password info. Together, only your friends, not the site, can restore your password if you forget it.
Image: Telegraph.co.uk

Image: Telegraph.co.uk

Here’s an analogy. The sites that have your valuable data are like gyms, and they provide lockers that you lock up yourself. Only you have the lock and key; the gym provides the storage and the services you want to use, but they can’t peak in and see your sweaty undergarments.  If someone breaks into the gym, the thieves still have to pick each locker’s unique lock, not one big lock that guards everyone’s stuff.

This can work pretty much the same way with your online data.  You can store some data on a site that provides cool features and services but lock up the really personal stuff with a password the site can’t even unlock itself. But if you forget the password you made, the site can’t even send it to you because it can’t get it in readable form either (it still stores it somewhere, but in an encrypted irreversible format).  Can you ever get it back?

If you shared your password you made with your trusted contacts, you can.

Sure, it’s a bit of an awkward process, so sites would need to implement it the right way.  And even then, your multiple friends could lose the info, get hacked, not be around when you need them, or get scammed into believing you’re really you by some clever impersonators. However, it’s a reasonable way for both users and websites to provide a degree of privacy and data protection within a user’s control.

As we live more and more of our lives online, and as our actions are turned into data that’s mined for the deeply personal portrait it paints of us, what better way to protect it than to rely on the only social network that has existed for nearly all of humanity: our close, real-life friends.  Together, these technologies can allow users to secure their data and recover it while simultaneously letting sites limit their own liability.




Join in the discussion

Leave a Reply

Your email address will not be published.

Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>