Will the Cloud Kill the Password?

Will the Cloud Kill the Password?

Passwords are being replaced, and thefts from the cloud could speed their demise

 Recent hacks of cloud-stored photos have raised questions about the vulnerability of passwords.

Cloud servers have become online storehouses for vast amounts of information about people’s lives, and fears about their use may lead to the end of the password system that allowed on services like Apple’s iCloud

The latest security gap in a cloud-computing system announced Thursday by the Xen Project software group, which has released a patch to repair a flaw in its platform that could affect cloud services offered by Amazon and Rackspace. The glitch could allow hackers to access server data through the Xen cloud system or to crash that system, according to the group, which noted that problems like theh Heartbleed software bug “have put a spotlight on software security issues.”

Apple’s iCloud server is also facing backlash from customers after the theft of nude photos from the accounts of famous actresses, and the company insisted the thieves took advantage of weak password protection on the accounts. Cloud accounts are increasingly targeted by hackers as more people upload data onto the services, and the most popular way to break into the accounts is through the front door – with a password.

“The weakness across the board is really a password,” says James Lewis, a cybersecurity researcher at the Center for Strategic and International Studies.

Cloud storage is still new technology and some companies have poor cybersecurity plans. A very common part of that problem is that companies “haven’t thought about balancing ease of access for consumers with securing access,” Lewis says. For example, some Web services lock users out and require verification after they guess a password wrong a certain number of times, while others allow unlimited guesses.

Apple has taken the lead in replacing passwords with its Touch ID fingerprint scanner for newer iPhones, along with security measures on its Apple Pay system that will protect mobile paymenys by randomly generating codes each time a payment is made. The government’s National Strategy for Trusted Identities in Cyberspace also aims to develop new security options that could replace passwords on federal networks by 2020.

Google and Apple also suggest people use “two-step verification” by linking their phone numbers with their online accounts to add an extra security boundary in case a password is cracked. The problem with that approach is that some consumers don’t trust companies enough to share more private information, in part because it could put even more data at risk of being stolen, Lewis says.

“One of the things that harms [the] trust of service providers in the U.S. is that people know their data is being harvested and are reluctant to better authenticate themselves,” he says.

The U.S. could help boost that trust with improved laws to protect online privacy, and Silicon Valley could make a greater commitment to protect the data of its customers, Lewis says. Apple and Google recently have sought to alleviate user fears that their information will be sold or that the companies will be compelled to share data with the National Security Agency. Both tech giants separately announced they will no longer hold the encryption keys to the iOS or Android operating systems, making it impossible for them to access data stored on cellphones at the request of law enforcement.

This security measure is a positive step, but America “is a long way from having your mobile phone be your credit card,” Lewis says, citing a trust gap that, if bridged, could grow the use of mobile payments and other services on phones.