Obtaining instant breach transparency with ‘cryptopasswords’
Recently, in a conversation with Rob Witoff (formerly on the security team at Coinbase, now at Google) we discussed the idea of replacing passwords with private keys that control public cryptocurrency wallets. Excited about the potential, he put it into action hours later:
Here are the concepts behind this idea, which might not be completely obvious at first:
- Companies shouldn’t actually be storing passwords in a way that their systems, or anyone with access to their systems, can actually view them as plain text (they’re one-way hashed). However, this is something that companies screw up.
- Using a cryptocurrency private key as a password means that if someone has access to your password in plain text, they would also have access to the balance associated with the private key. There isn’t a guarantee that hackers will know (or choose) to steal the cryptocurrency — although, if this becomes a common practice, there is probably some game theory that suggests that a hacker with access to a quick and substantial win will take the money and run.
- After switching to a cryptocurrency private key as your password, you’ll want to monitor the public balance of the wallets associated with that key. To do this, Rob created an open source project: https://github.com/witoff/balance-monitor. If the balance drops, it means someone has access to your private key, so you’re effectively instantly informed that your password has been compromised.
(Note: As Litecoin creator Charlie Lee pointed out, you’d probably want to identify your key by the type of coin associated with it).
It’s not such a crazy idea
This idea might seem crazy, but hear me out. As the result of a recent security incident at Mixpanel, where the company was sucking up passwords in plain text, the security team is now looking for evidence that this information was not accessed. This would probably be an easier process if these passwords were #cryptopasswords. In that case, any bad actors who were able to exploit the Mixpanel bug might have chosen to empty these balances while they had the chance.
The cascading effect would be that users who deposited those #cryptopasswords would have been notified that their balances had been stolen. Instant breach transparency.
In fact, the foundations of this idea came to me when I learned that, in late December, Reddit was hacked via one of its SaaS vendors, Mailgun. The goal of the attack was to steal Reddit Gold tips that had been disbursed via Bitcoin. Interestingly, the attack was discovered and disclosed within a week of its occurrence mostly because the Reddit users noticed they had lost the Bitcoin associated with their accounts.
This was an example of the potential paradigm shift to immediate breach transparency. Because a digitally scarce and anonymous asset (Bitcoin Cash) was stolen, the custodial party (Reddit) was immediately held responsible by its customers, who could instantly verify that their funds were irreversibly stolen. Conversely, the Equifax hack timeline shows that it took Equifax over 2 months to discover that criminals had stolen the Social Security number (a non-digitally-scarce asset) of nearly every American adult, and then another 5 weeks to announce it publicly.
The bottom line is, if someone steals your cryptocurrency, you know. If someone steals your password, your SSN or any other PII for that matter, you are at the mercy of the custodial party to discover and disclose that to you.
How would this look?
The best implementation of this would be an option integrated with a password manager like 1Password. Instead of generating a random string for a specific password, it could generate a cryptocurrency private key and allow the user to determine the value to assign to that specific password. An integration like this would by default create different passwords for every service, each with a specific amount of cryptocurrency associated with it.
From there, building in the monitoring of the public wallets for each account would be a pretty simple add-on. With widespread adoption, a service like 1Password could actually publish the amount of cryptocurrency that is stored with each service (e.g., “1Password users have stored 7,432 LTC in Twitter passwords.”). Essentially, this would be a simple crowd sourced bug bounty for any website.
What other applications could this have?
I’m sure there are many more applications and ideas for fleshing out this concept, and some of them should push us to add an additional layer of defense against attacks that rely on user passwords to steal data.
For example, a more thorough and developed implementation of this concept could actually help establish a market-based solution to the problems with data-breach disclosure that governments are currently addressing with strict regulations, such as the EU’s forthcoming GDPR. By interweaving the foundations of cryptocurrencies into their data-storage processes, companies will be able to provide additional assurances to both users and regulatory bodies that the data they hold hasn’t been compromised. More than likely, it would just expose what a mess SaaS usage can create in terms of attack surface area.
Like I said, this is just some early thinking on the topic, but I’m confident there’s a real opportunity here to get creative and have a meaningful impact on cybersecurity. If you have other ideas for applications or implementation details, or some good reasons why I’m way off-base, please do share them.