The Interview: Per Thorsheim, password and cybersecurity expert

3 Apr 2015

Per Thorsheim, password and cybersecurity expert

The recent breach whereby Amazon-owned Twitch had to reset passwords for all of its users is only the tip of the iceberg if companies loosen security just to gain customers, warns password expert Per Thorsheim.

Thorsheim is an IT security consultant based in Bergen, Norway, who came to global attention in June 2012 when he revealed that LinkedIn had been hacked.

Something of an authority on password security, Thorsheim received the Commander’s Coin from the chief of the Norwegian Cyber Defence Forces in Spring 2014.

Thorsheim, who will be in Dublin on 22 and 23 April to address the Smart Business Show, warned that password security breaches like that of games video site Twitch could become more commonplace as two-factor authentication is different across most of the major tech sites and password managers are still complicated and costly to the average internet user.

“Passwords are not going to go away in the foreseeable future. Not in my lifetime,” he said. “Replacing passwords is going to take a massive amount of work and cost so much money that it is really not worth bothering from an economic perspective. That’s the sad truth about passwords and their future.”

Thorsheim says the the most common advice he gives people is not to use the same passwords across various services and to either use a password manager or write down the passwords and store them somewhere safe at home.

“Seventy per cent of us will reuse the same password across two or more services,” he claimed.

He supports the move to two-factor authentication by tech giants like Twitter, Facebook and particularly Apple after iCloud addresses belonging to Hollywood actresses were hacked.

However, he points out that no two two-factor authentication systems are the same in design, which doesn’t actually help encourage consumers to use them.

“Two-factor authentication is not like replacing passwords with something else, we are just adding to the fact. And the same is true with iris scans, fingerprint recognition and software tokens.

“You will still need a good password so if one factor fails, you still have the other.

“The two-factor concept is well known in the tech industry, but there are no predominant standards on how to implement, develop, maintain, monitor and exercise security.

“Facebook, for example, does two-factor authentication rather differently to Twitter and the same is true for Google, for Yahoo!, and this brings even more confusion to people.

“If the 10 biggest service providers on the internet want to do this – well, frankly, it is a mess.

“Improving usability would improve things but today it is a mess.”

Maintaining high standards in password security

Thorsheim said he believes the reason Twitch was compromised was due to a decision to reduce the minimum length of passwords from 20 down to eight characters.

“In security terms, that is a big change. 20 is certainly beyond excessive, but reducing down to eight is far below what I would consider minimum today. And the reason they did that was because consumers were complaining that 20 characters was too long.”

Thorsheim said it is in the interests of service providers to encourage consumers to work on the integrity of their passwords and ensure they are good and strong.

“There is no trade-off. These companies are in the middle of a crisis and need to do risk management.

“They need to decide is it better to gain lots of customers by lowering the password security requirement, or risk their entire reputation and sign up customers at a slower rate by not lowering password security requirements.”

Thorsheim believes that other companies will act in a similar manner to Twitch and will lower password length requirements because users are complaining about length.

“Being the first one to raise the bar for better security in my view means you are not running the risk of failing because you are thinking about doing better than competitors in terms of security.

“It’s a trade-off, but it is the analysis you need to do and I don’t believe most companies are doing the risk analysis and are just doing the same thing as other companies.”

He emphasised the need for the industry to collaborate on making two-factor authentication more usable.

“Everybody complains about passwords, but they are here for the foreseeable future.”

Per Thorsheim will be a keynote speaker at the upcoming Smart Business Show at the RDS on 22 and 23 April

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years