Blog post update 21 May 2020

A little more than a month ago there was a relatively small announcement made about a vulnerability in CloudFlare’s infrastructure. Most people who glanced over the headlines were probably not worried at all and may have simply asked the question, “What or who is CloudFlare?”.

When we hear about breaches or potential breaches it is usually associated with a big name and relatively easy for individuals to judge their exposure.

What makes the CloudFlare vulnerability especially concerning is that the infrastructure is used by some 5.5 million websites on the Internet, and extends beyond the sites and into mobile apps as well. In fact, there are some pretty big household names using its services.

The vulnerability itself exposed secret data via an implementation bug with secret keys. Without getting into the technical details, the researcher who found the bug cited that he was able to see private chat logs, dating site private messages, password and personal information, as well as travel bookings.

In short, it could have been an identity theft nightmare.

Unfortunately, barring the use of Internet services, there is not a lot you can do to protect your data from these types of bugs. We are also in the era where a breach or a vulnerability may happen without users ever knowing about it.

And passwords have been an issue since the dawn of computing. They tend to be either so complex that no one can remember them, or so obvious that anyone can guess them.

But some steps can be taken to make things a little more difficult for hackers to steal your password information: 

• Don’t use the same password on more than one site on the Internet. This limits exposure in the event that one password is hacked.
• Change passwords regularly. Don’t be paranoid and change passwords every day, but have a schedule and make it a habit.
• Keep passwords very different between sites. Don’t use a formula that would be easy to figure out.
• Close accounts that you no longer need, if possible.

Luckily passwords are not the only form of authentication, we are seeing many other authentication technologies driving the future of user authentication. For example, social login; shared secrets, pins, patterns, QR codes, toke, biometrics and Digital DNA. 

Biometrics are becoming more prevalent and have proven extremely effective, but they are not foolproof yet and require specialized equipment.

Digital identities are unique as they leverage the infinite number of connections users create when they transact online.

The traditional authentication methods will be here for a while or at least used in conjunction with newer technologies. There is however an important shift taking place to find new and better solutions.