Mitigating Password Re-Use From the Other End 211
An anonymous reader writes "Jen Andre, software engineer and co-founder of Threat Stack, writes about the problem of password breaches in the wake of the LivingSocial hack. She notes that the problem here is longstanding — it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed. Andre suggests a different approach: building out better auditing infrastructure. 'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events. Since authentication events are relatively similar across any application, I think this could be accomplished easily with a simple JSON-based common protocol and webhooks. ... [It] could even be a hosted service that learns based on my login behaviors and only alerts me when it thinks a login entry is suspicious— kind of how Gmail will alert if I am logging in from a strange location. Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'"
Re:Forcing strong passwords in the first place. (Score:5, Funny)
My passwords all come in the following variations
yyyyyy
xxxxxxxxxx
Xxxxxxxxxx
Xxxxxxxxxx1
Xxxxxxxxxx_1
You missed one of variations. I tried them all but I cannot login
Re:Don't brush your problem off on the user (Score:3, Funny)
And it is NOT possible for the average human being to remember passwords in the style of k$aUZ_nR2o.
Obligatory XKCD: http://xkcd.com/936/ [xkcd.com]