NYT Password Security Discussion Overlooks Universal Logins 127
A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs:
"These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."
How does centralized login solve keylogging? (Score:3, Interesting)
So they just need one password to access all your profiles?
Unless it was not actually your password for all those sites, but the password to a database (only available locally) that contained the password to those sites, I don't see how that's a solution. Actually, I thought the main problem with passwords was that people already used the same password for all their sites.
resistance.... (Score:1, Interesting)
Re:Single point of failure (Score:1, Interesting)
Speaking of Microsoft,
Link from TFA regarding password strength [microsoft.com]. It's where they got that table in the article. At the Microsoft site, they have a link...
They have a Password Checker: [microsoft.com] is your password strong test?
That's just a mock phishing example waiting to happen.
Re:In matters of security (Score:3, Interesting)
I live in France and when you're late for your electric bill they have a robot call you that propose you to enter your credit card information to pay your bill 'on the phone'.
Again, I am pretty sure it's them calling, and I am pretty sure also that this is something new as I never got it before. But this is scary. And I can't help but be scared at how many people will provide their credit card information on such an incoming call...
Re:OpenID isn't the solution (Score:2, Interesting)
Re:The password metaphor (Score:3, Interesting)
Keyfobs make malware work much harder. You don't insert them--you press the button and a number pops up. Enter that number and your password into the website, and you're in. The number changes in X seconds (where X is usually 60 or less.)
It makes it hard for malware to do its job. Now the malware must do its work right then, while you're in your authenticated session. It has to work automatically to e.g. perform a balance transfer. Other mitigation such as CAPTCHAs make it even harder for the malware to use the authenticated session, unless there's a human somewhere using your session. Once you require that a person be involved in the malware transaction, your safety improves significantly.
I think the ideal solution would include the following:
Keyfob plus certificate on USB stick.
Randomly generated form elements.
Honeypot form elements.
Captchas on all pages authorizing movement of money.
5 minute session timeouts.
Tie session to IP address (ideal) or to geolocation data (since NAT, AOL, etc. may show you as coming from several addresses.)
Remote logout.
SMS/email notification of logins.
Re:Single point of failure (Score:3, Interesting)
While it might reduce by a marginal amount the likelihood of the account being compromised, the potential consequences would be profoundly greater. That's a poor trade-off.
Several years ago, the pretty-damn-good and carefully-guarded common password that I used for buying things from sites such as Amazon, eBay, iTunes, etc. - reasonably well-run, reputable companies - was compromised somehow. (I have other different passwords that I use for message boards, others for banking, others for work-related accounts, etc.) Just dealing with that small breach was a serious hassle; if my financial institutions, e-mail, or privileged accounts had been involved, it could've been disastrous. Thank-you, but Do Not Want.