Passwords are the bane of online existence as they are easy to forget, susceptible to getting stolen and a virtual doorway to one’s personal information. Several studies have determined that given a choice, most people choose very weak passwords such as birthdays or phone numbers that make their accounts easy to crack. Additionally, the largest online businesses from Facebook to Target and Equifax, all are very susceptible to hacks because of their centralized model. Here’s a look at how blockchain decentralization could revolutionize passwords and make our online presence more secure.
The Problem Affecting Passwords
According to the Verizon Data Breach Investigations Report (DBIR) of 2017, 81% of data breaches are caused due to hacked passwords. Verizon’s report states that the number of data breaches involving stolen or weak passwords has gone from 50 percent to 66 in recent years signifying a shift in the demographics of online users. The remainder of the passwords is also easy to crack because users always use personal information to set these passwords so that they can easily recall passwords in the future. Other common passwords include the sequence “12345” and the word “password” for a large majority of people. But this leads to a huge vulnerability which affects almost all online businesses. Some of the biggest data breaches in the last 3 years include Facebook’s breach which caused a record 50 million people’s information susceptible to getting leaked along with Apple, Equifax, and Sony. Another common way that users get their passwords stolen online is phishing sites. These are websites which are deliberately designed to trick the user into thinking that they are on a trusted website in order to steal their password. For instance, a fraudulent website that purports to be an official bank website could obtain all the user’s account information for personal gain. It is clear that passwords are a cause for much concern as cyber attacks in 2017 cost U.S. enterprises an average of $1.3 million.
While some of the attacks described above such as phishing attacks can be solved by password management services which check for a website’s security certificate before sharing passwords, others are harder to prevent. Even the popular password manager service LastPass suffered a hack in 2017 which should be very concerning for people considering using one. The problem in all of these scenarios remains one of architecture, specifically that of centralized systems. Centralized systems become an easy target for hackers because they pose a single point of failure from which hackers can make a lot of money with a single successful attack. Blockchains have to potential to democratize password management to a much greater extent which could really increase security online.
Blockchains and Passwords
Blockchains can usher in an era of passwordless logins making usernames and passwords obsolete. For instance, the popular hardware wallets Ledger and Trezor both allow for users to physically click a button on the device to log in to a website such as MyEtherWallet. The Digital Signature that only the device is capable of generating is the only way to gain access to the unlocked wallet in this case. This makes the transaction much more secure as the private key used for generating the Digital Signature that never leaves the device and there is no way for hackers to access it. Another blockchain based password solution is SQRL or Secure, Quick, Reliable Login which uses public key cryptography to ensure security while employing QR codes to make the process more accessible to everyone. The software solution typically uses a link of the scheme “sqrl://” or optionally a QR code, where a user authenticates using a zero-knowledge proof rather than providing a user ID and password.
As discussed above, the key issue remains that of centralized servers responsible for authentication. REMME is a blockchain based startup that is fundamentally tackling that exact problem. Instead of a password, REMME gives each device a specific SSL certificate. At the time of login, users get a prompt on their device asking for signature that utilized the SSL certificate. There would be no way to forge an SSL certificate, giving users complete control over their passwords without relying on a centralized service. REMME is trying to build a distributed Public Key Infrastructure (PKI) management on top of the x.509 standard using blockchain technology.