They are a decidedly mixed bag; therein lays one of the many paradoxes of narcissism and the primary reason narcissists are so difficult to identify and understand. If narcissists were just jerks, they would be easy to avoid. The fact that they are entertaining and exciting as well as aggressive and manipulative makes them compelling in the real world and as subjects of psychological scrutiny.
A cross section of the narcissist’s ego will reveal high levels of self-esteem, grandiosity, self-focus, and self-importance. They think they are more physically attractive and intelligent than just about everyone, and would rather be admired than liked. They are enraged when told they aren’t beautiful or brilliant but aren’t affected much if told they are jerks.
Odious as these qualities may be, we’ve all got a narcissistic streak within. Narcissism is a stable trait that varies in degree from person to person. Some aspects, including confidence and self-sufficiency, are healthy and adaptive. It is only at the extreme end of the spectrum that narcissism becomes a disorder, often because toxic levels of vanity, entitlement, and exploitativeness are on display. The idea that narcissism is a constellation of traits that exists on a continuum, rather than a single, dichotomous label (you are or are not narcissistic), is reflected in plans to jettison the diagnosis of narcissistic personality disorder in the forthcoming DSM-V, the diagnostic manual for clinicians.
Narcissists thrive in big, anonymous cities, entertainment-related fields, and leadership situations where they can dazzle and dominate others without having to cooperate or suffer the consequences of a bad reputation. Narcissism tends to peak in adolescence and decline with age. Men are more narcissistic than women across the lifespan. Male and female narcissists both share a marked need for attention, the propensity to manipulate, and a keen interest in charming the other sex. Narcissism may have evolved as a strategy to secure sexual partners in the short-term. The ways in which narcissists of both genders pursue their quarry reinforces this possibility.
Women who score high on tests of narcissism consistently dress more provocatively than their more modest counterparts; male narcissists resort to displays of wit and braggadocio —in other words, both narcissistic men and women engage in time-tested sexual strategies. They also report more short-term hook-ups and a greater desire for this type of union. This relentless short-term focus is a key to both their dark charm and to the predictable downward trajectory of their relationships.
Narcissists will be thrilled to hear that as a group they are rated as more attractive and likable than everyone else at first appearance. Narcissists have a distinct physical signature. They’re considered more stylishly clad, cheerful, and physically appealing at first sight than are those who score lower in narcissism. The narcissistic women are impeccably groomed and the men were more chiseled than their non-preening peers. There is a robust link between narcissism and physical attractiveness, and narcissists’ tactics for standing out are well-documented, often by themselves. While narcissists often love the sound of their own voice, they don’t always sound pretty to others. Narcissism engaged in more disagreeable verbal behaviors, arguing and cursing more and using more sexual language than their more modest counterparts. Narcissists’ language and demeanor is often geared toward one objective: to maintain power in an interaction. The tactics in the narcissists’ toolbox include bragging, refocusing the topic of conversation, making exaggerated hand movements, talking loudly, and showing disinterest by "glazing over" when others speak. In the sexual realm, promiscuity is a key strategy that allows narcissists to maintain control. Promiscuity is a key behavioral ingredient also, because narcissists are always searching for a better deal. When narcissists think their partner is committed, they are even more willing to cheat, presumably because they feel that they are more likely to get away with it. The narcissists get a rush out of convincing partners to do things or engage in sexual acts that they would normally eschew.
Control is very important to narcissists. They can abruptly lose their charm if destabilized or threatened. This two-faced behavior is often the first clue to their true character. They get angry when rejected, overreacting to small slights and punishing those who do not support their grandiose image of themselves. Narcissists get away with these unsavory antics because, at least initially, they are so charming. The charismatic air that many narcissists exude is attractiveness, competence, interpersonal warmth, and humor. Those reporting higher levels of entitlement tended to be the most popular students in the class. While students expected charming individuals to like others more, people with self-centered values actually dislike others more. Clearly, narcissists are easily misread. The picture is further complicated by the fact that both extraverts and narcissists have an interpersonal style that endears them to others. So to conclude that a person may be narcissistic based on energetic and self-assured body movements, friendly facial expressions, and original introductions would be to dismiss many non-narcissists.
Narcissists’ manipulative bent can be a lever for social influence as much as for exploitation. This is why narcissism and leadership often go hand in hand. The fun-loving narcissist may enjoy widespread networking and dominating a social group not because they want to exploit every person in their path, but simply because they desire the positive reinforcement of others. More intentionally exploitative behavior is considered Machiavellian and, at the extreme, psychopathic. Together with narcissism, Machiavellianism and psychopathy form a cluster of distinct but related traits known as the "Dark Triad." In this disagreeable constellation, narcissism is the gentlest star. Narcissism is linked much more tightly to extraversion than are the other two, suggesting that narcissism may be the most positive, social, and outgoing component of this triad. When narcissists do behave negatively and aggressively, they tend to do so in response to social exclusion. Machiavellian and psychopathic types are more hostile to physical provocation.
In 1984, psychologist Robert Emmons posed the original narcissistic paradox: He noted that narcissists simultaneously devalue others even as they need others’ admiration. It appears that narcissists seek out people who maintain their high positive self-image, at the same time intentionally avoiding and putting down people who may give them a harsh dose of realism. Seeking admiration is like a drug for narcissists. In the long run it becomes difficult because others won’t applaud them, so they always have to search for new acquaintances from whom they get the next fix. This could explain why narcissists so frequently change their social contexts and maintain only weak ties to others.
Another long-standing mystery concerns the developmental pathway to narcissism. Is narcissism the result of indiscriminate parental praise, or of coldness and rejection? Freud believed narcissism resulted from some combination of the two. The whiplash combination of parental coldness and excessive parental admiration is more strongly related to maladaptive narcissism than is either attitude alone. This combination of childhood experiences may help to explain the paradoxical combination of grandiosity and fragility that is so characteristic of adult narcissists. The narcissist who receives indiscriminate praise from his or her caregiver as well as signals of coldness and rejection may come to distrust the praise and exist in a perpetual state of insecurity. Peers also contribute to this dynamic. Narcissists are popular so they get positive feedback, but are then devalued in the long term when people learn their true colors.
Inconsistent feedback can breed a deep craving for admiration in a person with narcissistic tendencies; hence the quest for fleeting ego boosts. In the sexual realm, a narcissist may be satisfied just knowing a person finds him or her attractive.
Even the narcissist’s awareness that they are narcissistic is paradoxical. Narcissists rate themselves more intelligent, physically attractive, likable, and funny than others, as well as more power-oriented, impulsive, arrogant, and prone to exaggerate their abilities. In other words, they know exactly how others view them. Narcissists are even aware that their reputations worsened over time and they just didn’t care. How can narcissists maintain their inflated self-image even though they know how they are perceived by others? Such people might think arrogance is a positive trait, like extraversion. Narcissists may also have unique coping mechanisms that allow them to reframe negative reactions. They know that in certain situations such as on first meeting they are better than others and they use this positive information to generally reinterpret other experiences. Narcissists may conclude that others are just haters, or just not smart enough to realize how awesome they really are.
The narcissistic blend of flash and callousness, light and dark coupled with a relentless focus on short-term objectives, ensures no shortage of sexual and romantic partners at the outset, many of whom will leave the relationship hurt and baffled. Once again, first impressions quickly go sour. People who date narcissists are highly satisfied for about four months, at which point they report a rapid decline in relations. Ironically, the four-month mark is when people start to reach peak satisfaction when dating non-narcissists. Yet the initial excitement and charm offered by the narcissist is hard to resist. "When I eat chocolate cake, 20 minutes later I’m under my desk wanting to die." "When I eat broccoli, in 20 minutes I feel good. But given the choice I always eat the cake."
In the long term, both men and women get frustrated with narcissistic partners, but since more men are interested in short-term flings, narcissistic women don’t tend to bother men as much as narcissistic men frustrate women. Narcissistic men tend to attract women who crave drama. Empathic women who are "caretakers" may also be drawn to narcissistic men, thinking erroneously that they will be able to alter negative traits. Women’s attraction to narcissistic traits may also depend, in part, on where she is in her ovulatory cycle. On days when women is at high fertility, they are much more attracted to displays of social presence like composure, eye contact and competitiveness symbolizing derogation of competitors, both of which signal the confidence that is the narcissist’s hallmark.
Men with narcissistic tendencies place much more emphasis on physical appearance than on an empathic partner, and not merely for the arm-candy factor one might expect. Narcissists are interested in gorgeous women in part because they believe such women may be most susceptible to their manipulative tactics. The interest of a great-looking woman is annoyed by playful yet ambiguous comments because such a woman is so used to being approached through flattery and to being in control of an interaction. "Not so fast! It’s too early in the relationship for you to touch me like that," or "You have interesting eyes" are two such lines. An ambiguous comment is not an insult, just a judgment call on narcissist’s part. The better-looking the girl, the more aggressive narcissistic men will be.
In the realm of friendship, narcissistic women seek out higher-status opposite-sex friends whereas narcissistic men tend to have other male friends, sometimes called "wingmen," who also have a short-term mating strategy and can help each other exploit women. Women are looking to get something from the guys, and guys are looking for a teammate to take advantage of the world. The greatest paradox of all is that narcissism is neither absolutely good nor bad. Narcissism can be adaptive or maladaptive, appealing or appalling, depending on how charm and cunning are deployed. Anyone can mix and match narcissistic traits including confidence, self-sufficiency, and assertiveness with more communal traits such as cooperation and empathy, to be effective in any situation. Still, you may be wondering whether you are a full-fledged card-carrying narcissist. You could always go online and take the Narcissistic Personality Inventory to find out if this is the case. But if you truly are a narcissist, you probably already know it and you don’t care.
Signs of a stealth narcissist are flashy clothing and sky-high confidence public face of narcissism. Here are a few additional cues, some contradictory, in keeping with the narcissist’s paradoxical nature. Bragging about one’s perfect family (no one’s family is perfect). Hyper-generosity in public to demonstrate that one has power, but coldness once the camera is off. They are hypersensitive and insecure. This includes imagining criticism where it doesn’t exist and getting depressed by perceived criticism. Vulnerable narcissists are self-centered and overly defensive. Narcissists are prone to a vast array of negative emotions including depression, anxiety, self-consciousness, and shame owing to not being given their "due." Such feelings can be an indication of egocentricity and self-absorption. They repeatedly put down other people, especially inferiors and strangers. Loves to talk about him or herself and mentions others mainly to name-drop.
If you find yourself repeatedly pursuing people who need to be the center of attention, consider how to de-narcissify your encounters:
•Slow down. Don’t put so much stock in your initial attraction. Be open-minded to non-flashy people.
•Observe a variety of settings. Extraverts can be very hard to distinguish from narcissists. Assess a person in multiple contexts before getting in too deep, and solicit honest input from friends.
•Consider the venue. If you frequent bars and clubs, you are more likely to encounter narcissists on the prowl.
•Examine why you may be attracted to narcissists. If you are searching for an ambitious person who is not "too nice," you are likely drawn to narcissists. What needs of yours do narcissists exploit?
•Get out as soon as you can. Don’t try to change him or her. Remember, this person enjoys being a narcissist. The more emotionally attached you get; the easier it will be for the narcissist to manipulate you.
•Take control of the situation. The situation you are in does not necessarily reflect your personality when you love a man who loves himself. Responsibility is the ability to respond.
The realm of sleep and dreams has long been associated with strangeness, omens, symbols, unconscious impulses and fears. But this sometimes disturbing world of inner turmoil, fears and desires is grounded in our day-to-day experience. The structure and content of thinking looks very much like the structure and content of dreaming. They may be the product of the same machine. Dreams allow the brain to work through its conscious experiences. During dream, the brain appears to apply the same neurological machinery used during the day to examine the past, the future and other aspects of a person’s inner world at night. Memory is the manifestation of this inner world.
What we remember is the result of dreams rather than the other way around. Vivid dreams often occur during REM sleep, named for the rapid eye movement associated with it, however, non-REM sleep also brings dreams but they are more fragmentary. Dreams help people learn. In a study published in the journal Current Biology in April 2010, the study subjects who entered non-REM sleep and dreamed about a video game maze they had played hours earlier saw their performance increase dramatically more than those who slept but did not report any maze-related dreams. Meanwhile, thinking about the maze while awake did not improve the players’ performance.
Although this work focused on non-REM sleep, incorporation of learning happens in all stages of sleep. In deep sleep, the brain is trying to extract meaning from the experience earlier in the day. Individual neurons in humans’ hippocampus fire in response to spatial location. In the future, science may develop ways to control cognitive functions enhanced by sleep, using sleep and dreams as a tool the way we use learning and teaching while we are conscious.
No one can speak to the value of sleep more than someone deprived of it. Alan Berliner, a filmmaker who explored his own insomnia in his 2006 documentary "Wide Awake" offered this perspective to the discussion. "Every night when I put my head on the pillow, it’s like an adventure,” Berliner says in a clip of the film played during the discussion. He described songs, particularly Leonard Cohen’s "In My Secret Life," looping in his head and his thoughts racing uncontrollably. I started to think the expression human error means sleepiness," he said in the film.
Why do bad boys always get the girl? To put it another way, why do women find it so hard to resist ruthless, deceitful narcissists? Look no further than James Bond, whose character is composed of three distinctly nasty traits: the dark triad, as this particular psychosis is referred to in psychological literature. James Bond is ruthless, he’s fearless, he’s extremely focused, and he’s mentally tough. He’s, of course, absolutely without conscience and remorse. He’s also one of the biggest philanders that’s ever worked for the British Secret Service.
While James Bond is a fictional character, he also makes for an exemplary psychological case study. The question psychologists ask in this case is what are the various personality traits and behaviors that enable those with the Bond psyche to enter into relationships with others and exploit them?
Men with a specific triumvirate of personality traits — the stratospheric self esteem of narcissism; the fearlessness, ruthlessness, impulsivity, and thrill-seeking of psychopathy; and the deceitfulness and exploitativeness of Machiavellianism can actually do pretty well for themselves out there in the echelons of society. High levels of openness, self-esteem and extraversion, combined with low levels of conscientiousness and anxiety enable James Bond types to persist in the face of potential social rejection and retaliation. Bondian psychopaths are more likely to have a greater number of sexual partners and a stronger inclination toward casual, short-term relationships than men who are low on such traits. This turns out to be evolutionarily advantageous because it expedites a dual-process alpha-male mating strategy aimed at maximizing reproductive strategy that consists of impregnate as many females as possible and hit the road before anyone calls you daddy.
James Bond craves novelty: a new Bond girl to seduce, a new villain to kill. The desire for novelty works both ways. This is exactly the kind of personality type that sets female pulses racing. If you’re looking for relationship advice here, it goes like this: date James Bond, marry Mr. Right. While James Bond may not be the man to settle down with, he has a lot to offer society. That is to say, if he exhibits non-psychotic levels of dark triad traits, a James Bond type can be a functioning psychopath.
We sleep soundly in our beds because rough men stand ready in the night to visit violence on those who would do us harm. It is not a coincidence that Churchill was fond of this saying. Great leaders have a lot in common with psychopaths, in that they are not afraid of making unpopular decisions. Many professions are also strongly associated with psychopathy. Surgeons, for instance, need to do the dirty work of cutting up bodies with calm, emotional detachment. Another example is the Special Forces. In Special Forces, you can’t afford to dwell on the fact that you’ve pulled the trigger and killed someone. If you do, then the next bullet could be going through your head. So you have to be very emotionally detached in kind of professions like that.
Credits: Mat Honan (senior reporter for Gizmodo)
You have a secret that can ruin your life. It’s not a well-kept secret, either. It is just a simple string of characters maybe six of them if you’re careless, 16 if you’re cautious that can reveal everything about you: your email, your bank account, your address and credit card number, photos of your kids, or worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that was a fallacy, a fantasy, an outdated sales pitch, and anyone who still mouths it is a sucker or someone who takes you for one.
No matter how complex, no matter how unique, your passwords can no longer protect you. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.
Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in information and that is easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you. First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.
The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet. Passwords are as old as civilization and for as long as they’ve existed, people have been breaking them. The first computers to use passwords were likely those in MIT’s Compatible Time-Sharing System, developed in 1961. To limit the time any one user could spend on the system, CTSS used a login to ration access. It only took until 1962 when a PhD student named Allan Scherr, wanting more than his four-hour allotment, defeated the login with a simple hack. He located the file containing the passwords and printed out all of them. After that, he got as much time as he wanted. During the formative years of the web, as we all went online, passwords worked pretty well. This was due largely to how little data they actually needed to protect. Our passwords were limited to a handful of applications like an ISP for email and maybe an ecommerce site or two. Because almost no personal information was in the cloud; the cloud was barely a wisp at that point and there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.
So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts, the number of failure points grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud, and doing our taxes in the cloud. We stashed our photos, our documents, and our data in the cloud. Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch the notion of the “strong” password. It’s the compromise that growing web companies came up with to keep people signing up and entrusting data to their sites. It’s the Band-Aid that’s now being washed away in a river of blood. Every security framework needs to make two major trade-offs to function in the real world. The first is convenience: The most secure system isn’t any good if it’s a total pain to access. Requiring you to remember a 256-character hexadecimal password might keep your data safe, but you’re no more likely to get into your account than anyone else. Better security is easy if you’re willing to greatly inconvenience users, but that’s not a workable compromise.
The second trade-off is privacy. If the whole system is designed to keep data secret, users will hardly stand for a security regime that shreds their privacy in the process. They have wanted the act of signing up and using their service to seem both totally private and perfectly simple—the very state of affairs that makes adequate security impossible. So they’ve settled on the strong password as the cure. Make it long enough, throw in some caps and numbers, tack on an exclamation point, and everything will be fine.
For years it hasn’t been fine. In the age of the algorithm, when our laptops pack more processing power than a high-end workstation did a decade ago, cracking a long password with brute force computation takes just a few million extra cycles. That’s not even counting the new hacking techniques that simply steal our passwords or bypass them entirely—techniques that no password length or complexity can ever prevent.
How do our online passwords fall?
In every imaginable way: They’re guessed, lifted from a password dump, cracked by brute force, stolen with a key-logger, or reset completely by conning a company’s customer support department.
Let’s start with the simplest hack: guessing. Carelessness, it turns out, is the biggest security risk of all. Despite years of being told not to, people still use lousy, predictable passwords. Our other common mistake is password reuse. Password reuse is what really kills you. There is a very efficient economy for exchanging that information. Hackers get our passwords through trickery. The most well-known technique is phishing, which involves mimicking a familiar site and asking users to enter their login information. The hacker phishes his way in by sending an email that linked to a bogus page, which ask for password. You enter it. An even more sinister means of stealing passwords is to use malware (hidden programs that burrow into your computer and secretly send your data to other people). They are epidemic on Windows and, increasingly, Android. Malware works most commonly by installing a key-logger or some other form of spyware that watches what you type or see. Its targets are often large organizations, where the goal is not to steal one password or a thousand passwords but to access an entire system. Clicking a rogue link, usually from a phishing email installs Malware on your computer. Then, like a good human hacker, it sits and waits for you to log in to an online banking account somewhere. As soon as you do it grabs your password and sends it back to a server accessible to the hacker.
Until we figure out a better system for protecting our stuff online, here are four mistakes you should never make and four moves that will make your accounts harder but not impossible to crack:
1. Don’t reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
2. Don’t use a dictionary word as your password. If you must, then string several together into a pass phrase.
3. Don’t use standard number substitutions. Cracking tools now have those built in.
4. Don’t use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
1. Do enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
2. Do give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
3. Do scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
4. Do use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications and make sure to choose a username that isn’t tied to your name—like firstname.lastname@example.org—so it can’t be easily guessed.
If our problems with passwords ended there, we could probably save the system. We could ban dumb passwords and discourage reuse. We could train people to outsmart phishing attempts. Just look closely at the URL of any site that asks for a password. We could use antivirus software to root out malware. But we’d be left with the weakest link of all: human memory. Passwords need to be hard in order not to be routinely cracked or guessed. So if your password is any good at all, there’s a very good chance you’ll forget it; especially if you follow the prevailing wisdom and don’t write it down. Because of that, every password-based system needs a mechanism to reset your account and the inevitable trade-offs (security versus privacy versus convenience) mean that recovering a forgotten password can’t be too onerous. That’s precisely what opens your account to being easily overtaken via social engineering. Although socializing was responsible for just 7 percent of the hacking cases that government agencies tracked last year, it raked in 37 percent of the total data stolen.
Have you thought about your LinkedIn account?
Have you thought about your Facebook page?
Have you thought about your kids’ pages or your friends’ or family’s?
If you have a serious web presence, your answers to the standard questions—still often the only options available—are trivial to root out. Your mother’s maiden name is on Ancestry.com, your high school mascot is on Classmates, your birthday is on Facebook, and so is your best friend’s name—even if it takes a few tries. The ultimate problem with the password is that it’s a single point of failure, open to many avenues of attack. We can’t possibly have a password-based security system that’s memorable enough to allow mobile logins, nimble enough to vary from site to site, convenient enough to be easily reset, and yet also secure against brute-force hacking. But today that’s exactly what we’re banking on—literally.
Who is doing this? Who wants to work that hard to destroy your life? The answer tends to break down into two groups, both of them equally scary: overseas syndicates and bored kids.
The syndicates are scary because they’re efficient and wildly prolific. Malware and virus-writing used to be something hobbyist hackers did for fun, as proofs of concept; not anymore. Sometime around the mid-2000s, organized crime took over. Today’s virus writer is more likely to be a member of the professional criminal class operating out of the former Soviet Union than some kid in a Boston dorm room. There’s a good reason for that; money.
Given the sums at stake—in 2011 Russian-speaking hackers alone took in roughly $4.5 billion from cybercrime—it’s no wonder that the practice has become organized, industrialized, and even violent. Moreover, they are targeting not just businesses and financial institutions but individuals too. Russian cybercriminals, who have ties to the traditional Russian mafia, took in tens of millions of dollars from individuals last year, largely by harvesting online banking passwords through phishing and malware schemes. In other words, when someone steals your Citibank password, there’s a good chance it’s the mob.
But teenagers are, if anything, scarier, because they’re so innovative. A 14-year-old kid who goes by the handle “Dictate” isn’t a hacker in the traditional sense. He’s just calling companies or chatting with them online and asking for password resets. But that does not make him any less effective. He and others like him start by looking for information about you that’s publicly available: your name, email, and home address, for example, which are easy to get from sites like Spokeo and WhitePages.com. Then they use that data to reset your password in places like Hulu and Netflix, where billing information, including the last four digits of your credit card number, is kept visibly on file. Once they have those four digits, they can get into your AOL, Microsoft, and other crucial sites. Soon, through patience and trial and error, they will have your email, your photos, your files.
Why do kids do it? Mostly just for fun: to fuck shit up and watch it burn. One favorite goal is merely to piss off people by posting racist or otherwise offensive messages on their personal accounts. Racism invokes a funnier reaction in people. Apparently, sociopathy sells.
A lot of these kids came out of the Xbox hacking scene, where the networked competition of gamers encouraged kids to learn cheats to get what they wanted. In particular, they developed techniques to steal so-called OG (original gamer) tags from the people who’d claimed them first. It’s precisely because of the relentless dedication of kids that the password system cannot be salvaged. You can’t arrest them all, and even if you did, new ones would keep growing up. Think of the dilemma this way: Any password-reset system that will be acceptable to a 65-year-old user will fall in seconds to a 14-year-old hacker.
For the same reason, many of the silver bullets that people imagine will supplement and save passwords are vulnerable as well. For example, last spring hackers broke into the security company and stole data relating to its SecurID tokens, supposedly hack-proof devices that provide secondary codes to accompany passwords. The company never divulged just what was taken, but it’s widely believed that the hackers got enough data to duplicate the numbers the tokens generate. If they also learned the tokens’ device IDs, they’d be able to penetrate the most secure systems in corporate America.
On the consumer side, we hear a lot about the magic of Google’s two-factor authentication for Gmail. It works like this: First you confirm a mobile phone number with Google. After that, whenever you try to log in from an unfamiliar IP address, the company sends an additional code to your phone: the second factor. Does this keep your account safer? Absolutely, and if you’re a Gmail user, you should enable it this very minute. Will a two-factor system like Gmail’s save passwords from obsolescence?
This past summer hacker decided to go after Prince, CEO of a web performance and security company called CloudFlare. They wanted to get into his Google Apps account, but it was protected by two-factor. What to do? The hackers hit his AT&T cell phone account. As it turns out, AT&T uses Social Security numbers essentially as an over-the-phone password. Give the carrier those nine digits or even just the last four along with the name, phone number, and billing address on an account and it lets anyone add a forwarding number to any account in its system. Getting a Social Security number these days is simple: They’re sold openly online, in shockingly complete databases.
Prince’s hacker used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. Two-factor just added a second step and a little expense. The longer we stay on this outdated system—the more Social Security numbers that get passed around in databases, the more login combinations that get dumped, the more we put our entire lives online for all to see—the faster these hacks will get.
The age of the password has come to an end; we just haven’t realized it yet. No one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.
Instead, our new system will need to hinge on who we are and what we do, where we go and when, what we have with us, how we act when we’re there and each vital account will need to cue off many such pieces of information; not just two, and definitely not just one.
This last point is crucial. It’s what’s so brilliant about Google’s two-factor authentication, but the company simply hasn’t pushed the insight far enough. Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.
This should be the future of online identity verification. It may very well include passwords, much like the IDs in our example. But it will no longer be a password-based system, any more than our system of personal identification is based on photo IDs. The password will be just one token in a multifaceted process. Jeremy Grant of the Department of Commerce calls this an identity ecosystem.
What about biometrics? After watching lots of movies, many of us would like to think that a fingerprint reader or iris scanner could be what passwords used to be: a single-factor solution, an instant verification. But they both have two inherent problems. First, the infrastructure to support them doesn’t exist, a chicken-or-egg issue that almost always spells death for a new technology because fingerprint readers and iris scanners are expensive and buggy, no one uses them, and because no one uses them, they never become cheaper or better.
The second, bigger problem is also the Achilles’ heel of any one-factor system: A fingerprint or iris scan is a single piece of data, and single pieces of data will be stolen. A software engineer on Google’s security team points out that pass codes and keys can be replaced, but biometrics is forever. While iris scans look groovy in the movies, in the age of high-definition photography, using your face or your eye or even your fingerprint as one-stop verification just means that anyone who can copy it can also get in.
Does that sound far-fetched? It’s not. Kevin Mitnick, the fabled social engineer who spent five years in prison for his hacking heroics, now runs his own security company, which gets paid to break into systems and then tell the owners how it was done. In one recent exploit, the client was using voice authentication. To get in, you had to recite a series of randomly generated numbers, and both the sequence and the speaker’s voice had to match. Mitnick called his client and recorded their conversation, tricking him into using the numbers zero through nine in conversation. He then split up the audio, played the numbers back in the right sequence, and—presto.
None of this is to say that biometrics won’t play a crucial role in future security systems. Devices might require a biometric confirmation just to use them. Android phones can already pull this off, and given Apple’s recent purchase of mobile-biometrics firm AuthenTec, it seems a safe bet that this is coming to iOS as well. Those devices will then help to identify you: Your computer or a remote website you’re trying to access will confirm a particular device. Already, then, you’ve verified something you are and something you have. But if you’re logging in to your bank account from an entirely unlikely place—say, Lagos, Nigeria—then you may have to go through a few more steps. Maybe you’ll have to speak a phrase into the microphone and match your voiceprint. Maybe your phone’s camera snaps a picture of your face and sends it to three friends, one of whom has to confirm your identity before you can proceed.
In many ways, our data providers will learn to think somewhat like credit card companies do today: monitoring patterns to flag anomalies, and then shutting down activity if it seems like fraud. A lot of what you’ll see is that sort of risk analytics. Providers will be able to see where you’re logging in from, what kind of operating system you’re using.
Google is already pushing in this direction, going beyond two-factor to examine each login and see how it relates to the previous one in terms of location, device, and other signals the company won’t disclose. If it sees something aberrant, it will force a user to answer questions about the account. If you can’t pass those questions, it sends you a notification and tells you to change your password; because you’ve been owned.
The other thing that’s clear about our future password system is which trade-off—convenience or privacy—we’ll need to make. It’s true that a multifactor system will involve some minor sacrifices in convenience as we jump through various hoops to access our accounts. But it will involve far more significant sacrifices in privacy. The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA.
We need to make that trade-off, and eventually we will. The only way forward is real identity verification to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.
That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.
Credits: Mat Honan (senior reporter for Gizmodo)