Journalist’s experiment to prove that passwords are dying goes horribly wrong
Wall Street Journal journalist Christopher Mims attempted to prove the dwindling importance of passwords by giving out his Twitter password to the public. The results were not what he expected.
Mims claimed that passwords as a form of authentication were becoming obsolete by heralding device-based authentication as a true means of keeping accounts secure. Device-based authentication uses a personal device, such as a smartphone, instead of a text-based password to access sensitive information. He argued that hackers can obtain a password, but a physical device can be disabled if lost and is further secured via PIN or biometric data, such as a fingerprint.
Mims also emphasized the power of two-factor authentication, which most online services offer, including Google, Yahoo, Steam and Facebook. Two-factor authentication requires you to prove your identity with both a password and another form of verification, which usually a randomly generated numerical code that is sent as a text message to your phone number for you to enter as verification on the website or service you’re trying to access. The idea is that only you yourself would have that phone number in your possession, and therefore only you could gain access to the code. Two-factor verification is certainly a valid and powerful tool in keeping your accounts safe, and Mims’ experiment proved it at the expense of some unfortunate consequences.
As soon as his password was posted to the public, Mim’s phone was constantly buzzing with verification requests at a frequency of 2 text messages per minute. Each text indicated someone other than him was trying to access his Twitter account. Eventually, Mims decided to switch from text-based verifications to app-based ones through Twitter’s official iPhone app. Unfortunately (or fortunately, depending on how you look at it), this exposed a glaring flaw in Twitter’s two-factor authentication process. When sending verification requests to the user’s phone, Twitter would reveal that user’s phone number to those attempting to access the account.
So while Mims’ Twitter account was never actually hacked, his phone number had been compromised. This opened him up to a number of attacks and pranks, as one can imagine.
Mims’ stunt attracted the criticism of other journalists, accusing him of writing a “click bait” article and simply vying for attention. New York Magazine tech writer Kevin Roose even mocked the experiment on Twitter, posting “Cool contest: mug @mims for his phone, and you get his twitter account too!”
Following the barrage of texts and phone calls Mims received as a result of his experiment gone awry, his overworked phone disconnected from service, and he was eventually forced to change his phone number altogether.
Two days after his initial article, Mims wrote a follow-up piece containing a modicum of regret. Mims still believes that passwords are no longer a viable form of protection, which is true to a point. He uses the rest of the piece to offer general security tips and focuses on the flaw in Twitter’s security system that exposed his phone number in the first place. The revelation of this weakness is probably the best thing to come out of this ordeal.
In the end, Mims Twitter account remained uncompromised, proving the security of two-factor authentication. This embarrassing experiment, however, shows that you can’t just rely on a single element to keep your data safe. You have to be more knowledgeable, use a password manager, never use the same password on multiple accounts, be careful of who you share your data with, and always be on your guard. And, please, never challenge a hacker, no matter how secure your data may seem. If they’re determined, they’ll find a way in.
By Alfredo Dizon, eParisExtra