Inside a 90 day period, Yahoo announced two breaches that they had been sitting on for years. Two breaches totaling in 1.5 billion exposed client records. Half a billion of which were disclosed in late September of 2016, and a billion in December.
Yahoo suffered two breaches totaling in 1.5 billion exposed records.
My initial reaction was sarcasm, I wasn't aware that Yahoo had more than a few hundred subscribers left, but my feelings quickly turned to righteous indignation as it would take no less than systemic negligence for a company to loose this much information. And then to add insult to injury, sit on their findings for years ensuring that those who made away with the account information had ample opportunity to cause the maximum amount of damage unchecked.
Yahoo sat on the findings for years, allowing the hackers ample opportunity to cause maximum damage.
Even with stiffer regulation coming into affect, and Data Protection Offices such as the UK's ICO (Information Commissioners Office) levying steeper and steeper fines, this occurrence is far from unique. Breaches happen on a daily basis and the individuals affected are rarely ever told that their information had been compromised.
Breaches happen on a daily basis and the individuals affected are rarely ever told that their information had been compromised.
Most tech writers will start by lambasting Yahoo for non existent security, something I firmly believe to be well deserved. Yahoo and Marissa Mayer should be very transparent and explain to us all, publicly, how these came to be, who was responsible for the decision to withhold the announcement of the breach, and moreover what their incidence response plan is moving forward.
Next will come the industry, once again proclaiming that passwords are the problem and that we should move to biometrics or a litany of technologies that would work in the valley but disenfranchise the bulk of everyone else.
Today there are billions of passwords in use, and while I am fan of new authentication technologies, the issue is that most of them fall under these realities:
- They are designed in a vacuum
- Require sites and services to change their technology to accommodate the new authentication controls
- Require the users to individually learn how to use it
And even with giants like Google trying to introduce changes along those lines, adoption is in single digits.
What happens in 2017 ? myki.
The approach we've taken with myki doesn't require changes to any sites or services, and very little of the users, the service sits silently in the background creating new passwords for new services, logging into those already registered and updating those passwords regularly not just in cases of disclosed or discovered breaches.
myki sits silently in the background creating new passwords for new services and updating those passwords regularly.
The weaknesses related to passwords are addressed head on, myki makes it so that you never have to create, update or remember any password ever again, each password is complex, unique and unknown to the user or anyone else. Passwords are secured and stored in a distributed network with no central password repository unlike the solutions that most service providers offer, which makes them a valuable target to attackers.
With myki, passwords are secured and in a distributed network with no central password repository.
myki's aim is to secure user's online identities with as little input from the users as possible. And so the secret, in this case, is not to re-invent the wheel. The secret is to work with the wheel we have to achieve this common goal, without having to go out there and teach everyone how to drive all over again.