As I was looking into some IP evolutions, and as I was considering a few alternative new plans to hardware, The Wall Street Journal (about an hour ago) gave me ‘Alibaba Falls Victim to Chinese Web Crawler in Large Data Leak’, some will go ‘so what?’, and it gave me ideas on new apps, some might already exist but that as not the point, it was “Software developer scrapes 1.1 billion pieces of user data, including IDs and phone numbers, over eight months”, as well as “The software developer began using web-crawling software he designed on Taobao’s site starting in November 2019, gathering information including user IDs, mobile-phone numbers and customer comments, according to a verdict released this month by a district court in China’s central Henan province” that got my mind thinking. What if it was not about the data available now? What if that software designer had designed a predictive algorithm that could see and anticipate passwords? We have seen over the last few months well over a dozen breaches. From healthcare, to restaurants. Security magazine gives us “For example, cybercriminals could send phishing emails to individuals whose contact details were breached, asking them to click a link to update their username and password in the wake of the incident, in order to harvest credentials and gain access to data and systems. In a more advanced attack, the cybercriminal could use the knowledge that the contact has a business email relationship with McDonald’s and impersonate the brand to create further legitimacy to the attack. With people’s phone numbers being exposed too, cybercriminals could make their social engineering campaigns even more convincing by following up their email with a voice phishing — vishing — call”, but what if that is not the end goal? What if the people on half a dozen retail and health care places are showing to have similar or identical passwords? The predictive analytics might allow for a lot more. The article (at https://www.securitymagazine.com/articles/95404-mcdonalds-corp-suffers-data-breach) gives us more. I am not saying that Richard Blech is wrong, I agree with him, especially with “This is where large enterprises and government entities are significantly lacking in their efforts to ensure that they have, across the board, trained all staff and employees of, what should be a required job function, of the best practices and rules of conduct when operating within the network or infrastructure”, yet he was not looking towards ‘the Chinese software developer’, more important, if the Chinese developer was doing that, you can be certain that there are American, Russian and Indian developers doing EXACTLY the same thing and now we have a problem, now we have the setting for a predictive password algorithm, one that predicts the passwords of users. We are ALL a little lazy when it comes to passwords. The group of people relying on ‘qwerty’ and ‘abc123’ is shrinking, but it still exists to some degree and some use the same password on EVERY account, which is really not a good idea. So when these data breaches show identical passwords for the same email address, the panic button is really flashing and the problems are merely beginning. Yes, we can all see that the quality of passwords is increasing, and nearly all of you have seen the message “Please use upper and lower case characters, use at least one numeric and one special character to create your password”, with some sources claiming “It would take a computer about 3 thousand YEARS to crack your password”, yes that might be true, but if your password is “1Wishtofcuk#U69” on all the sites you retail frequent, the predictive password model will find you a lot sooner than you think it will and the setting changes from your account being your vested connection to the tool of organised crime. And as I see it there is not too much happening into that investigation. That is not a fault of the media, they react to what is, not what might be (glossy magazines do, but usually it is about predictive shagging information from unnamed sources regarding celebrities or famous married people).
So whilst we get back to the Wall Street Journal giving us “Chinese legal experts say a data leak involving mobile-phone numbers would have more far-reaching consequences in China than in other parts of the world. In China, where people are required to register with real name identification before obtaining a mobile phone number, such numbers are considered by law to be personal information, said Annie Xue, a Beijing-based lawyer at GEN law firm”, we tend to forget that plenty of nations have a few places where they rely on license numbers, date of birth and tax number, and there are all kinds of long term damage you face and that is merely the beginning. So when that predictive password algorithm is out there your goose (or Peking duck) will be cooked and it will be well done.
I did come up with an optional solution, one that is managed by YOU (I am too lazy and not a programmer), where the user can store and export passwords in their mobile, but it is depending on two passwords that are part of the encryption and not saved anywhere. So you forget those words, the passwords are gone. This is a setup using Two-square cipher, also called double Playfair, and it can be easily made, there was always one drawback ‘the two-square cipher can be easily cracked if there is enough text’ and we accept that, but passwords are not text, they are one word and not always clear ones, as such decrypting is a lot harder, especially if the developer does not make some backdoor. You can export the encryption to an email (to yourself) or perhaps a file on a laptop or cloud. The two words (for example ‘MaryPoppins’ and ‘SandraDee’) are words you must remember or write down somewhere SAFE and not linked to the exported list and should not relate to you or your person in any way and should never be reused anywhere. At that point the hackers return to a 3,000 years per website account and optionally the predictive password algorithm will soon be a nightmare of the past.