Passwords, for the longest time, have been the first wave of defence for an account on the internet. But with so many web services being used, it’s simply not possible to keep a new password for each account, and users tend to reuse the password. This poses security issues.
"Remote hackers can use many permutations and combinations and guess your password. They can use brute force and break into your account. But with people reusing passwords, even their other services can be compromised," says Mark Risher, CEO of Impermium.
Impermium is an internet security company, with offices in Bangalore and California, that is trying to move beyond passwords. The company was founded by veterans from Yahoo Mail, where they dealt with problems of spam, web security and fraudulent account creation. They realized that it wasn’t an issue with just Yahoo’s services but rather a problem with every website on the internet, and founded Impermium in 2010.
The company has built a number of services that work as a risk-determination system, which can help identify when an account has been compromised. The system calculates the risk from parameters like where you accessed the account , the device software and historical usage pattern of the links you’re posting.
For example, if you are accessing your Tumblr account from your workplace using your office-issued computer, that’s considered pretty low-risk. But a cyber cafe around the corner would be regarded more risky.
It also evaluates the risk based on user actions. For example, when you post a link to a phishing website, the chances of your next post also being a link to a phishing website is higher than average. It also evaluates whether your operating system is outdated, leaving more room for vulnerability. Depending on the risk assessment, Impermium’s clients can provide different security authentication or quarantine the account or even block access to the account.
Impermium has signed on about half a million websites for their service. Some of their clients include Tumblr, Pinterest, CNN, Typepad and Washington Post. The system registers about 6 billion events, including logins, posts, comments, links etc, from all their clients.
Though many security experts believe that the password system should be completely overhauled, Risher believes that this isn’t practical. "Security is always a balance between convenience and safety. And a complete overhaul becomes difficult . Google talked about an RFID ring that you would wear and which would transfer a secure certificate. Yes it would work but it would be a hassle and everybody would have to buy a reader. It’s not going to happen overnight."
Manish Patel, partner at Highland Capital, one of the several VC firms that have funded Impermium, said, "Mark, Vish (Vish Ramarao, co-founder ), and Naveen (Naveen Jamal, co-founder ) led the fight at Yahoo! to protect users from email spam. This wasn’t just annoyance but a critical security issue for Yahoo!. They are using their technical and product expertise to attack one of the most important security issues on the Internet today from a completely fresh perspective ."