Separate names with a comma.
Discussion in 'Security' started by Chiefcrowe, Nov 26, 2012.
I would love to live in a world where we don't have to worry about passwords.
I can't say I agree with his conclusion at all.
He isn't wrong about many of the problems with passwords (and more importantly password reset mechanisms), nor is wrong about the extreme privacy that must be forfeit to move beyond it. I'm not willing to give up that privacy.
He lays out a lot of the solutions to common issues with passwords in that article. Don't reuse passwords, keep multiple email accounts for particular purposes, and don't enter actual information into security questions. A lot of the issues with the above can be solved using a proper password manager.
The bigger issues he brings up, I think, relate to over the phone verification using credit card or social security numbers. It is pretty clear those mechanisms are nowhere near as secure as they should be, especially considering these are often used for utilities, banking, etc.. Not only are these accounts that hold a lot of important information about you (or your actual money), they are accounts you can't just abandon and remake. You need to be able to maintain access to these accounts regardless, yet they are also the most critical ones to maintain sole control over. I'm still not a fan of giving up additional privacy for these accounts - perhaps some sort of in-person verification could be set up for such instances.
I agree with you about the password manager and the insecurity of phone verification.
I think the banking/CC systems need a complete redesign but they don't want to do that because it would cost too much.
multiple email accounts could be handy though for those who don't want to or can't use a PW manager.
At the end of the day you always need something to prove who you are. The only something that can't be stolen or easily faked is biometric data and that's a long way away for a complete roll out to everyday consumers.
A username and a password as a combination is a good thing, but it's being weakened now due to everywhere using your email address as your username. The weakest link will always be the human, i can't forsee any major change in the security paradigm in the next 20 years that will solve that problem.
It's worth while noting that it's usually a failing of the system (i.e unencrypted password database leaked, social engineering, virus sown into a PDF etc...) rather than the users password which lets an uninvited guest into an account or system. So i'd say passwords still serve their purpose quite well as long as they are implemented correctly and not re used everywhere on the net
I don't know about the article. He says that he can get into my E-mail by my name, well I don't use my real name. He says you can get into a web site by checking forgot password, well the security question I always use is not a simple answer it's more like a sentence. I use a great add-on for Firefox called PWDhash. Check it out. It was developed by a guy at Stanford.
There is already an available technology in RSA token authentication that solves all password problems. When you login you provide your generic password plus a random set of a digits. Blizzard and Bank of America already have had this implemented for years. We need more companies to adopt this to enhance password security.
This works great as long as the keys to that algorithm stays secure as witnessed in the RSA hack. Nothing is 100%, humans are the weakest link. We can use MFA to strengthen the process but it's not absolute.
User education, MFA, and password generating tools to ensure complex, unique passwords that are periodically changed are strong controls.
The problem I find with Biometric data that once compromised the person compromised can't ever use that biometric data again. It's not like you can go get a new iris or fingerprints.
I find the one time passwords via token devices as mentioned offered by blizzard etc. to be far superior. If the system is compromised you can reissue the authenticators and move on.
The biggest issue with passwords is reuse as mentioned in the article and simplicity, this however is a byproduct of too many sites each having their own login requirements and each site using your email address as your username.
Once one of these sites fails to secure their passwords via encryption or properly salting their hashes all your sites are compromised. Anyways, I figure we all know the problems with all this and I think some of the stories of Google looking to push a token like login system is nice. I have my issues with Google though and don't have the greatest trust in them doing this. I'm not sure who else would do this but really wish a larger consortium of companies would get together and come to an agreement on a standard for widespread use and deployment of a one time password token system that all sites would use.