Will Your Password Need A Password?
from the better-security dept
If you hadn't realized it already, simple username/password combos are a pretty weak form of security - yet they're pretty much all we have for many important online systems that store our most vital information. While there are other solutions out there, many companies (especially in the US) have been incredibly slow in adopting "two-factor authentication" systems that require a password plus something else - such as a onetime code generated by a device you have to have with you (or built into your computer). The idea, then, is that if your password is revealed, no one else has the device, so it's useless. If they find the device, they don't have your password, so it's useless. However, so far, many users don't value this additional security very much - and the devices still aren't all that cheap. Plus, many companies are worried that users will react negatively to such systems as it may slow down the user experience - causing them to look for other (albeit less secure) alternatives. Then, of course, there's the worry that people will start using such systems that aren't compatible with each other, so you'll need separate devices for every account - which would be much worse than before. Others, such as those in the fingerprint scanning business think a biometric approach makes much more sense - but that leads to all sorts of other questions and issues. Still, as there are more and more cases of fraud and identity theft due to so much weak security, it seems increasingly likely that companies will be forced to adopt more secure methods.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
No Subject Given
Gross generalization here: Users have no contextual understanding of how "security" works, and no real incentive to come to understand it, either. They'll follow procedures to get paid, but only if they actually see that they need to follow the procedures.
Security is not a product, it is a process. You can't just layer on a coat of "security paint" and expect everything to be safe from intrusion.
A good security training exercise is not to teach the users how to take care of their passwords or tokens, but to teach them how to attack a security system. From that mindset, they learn how to protect far more than just a password or a token.
Show a couple of scenarios mixing physical, social and electronic attack. Then show a hypothetical system and discuss how the intruders could attack that system, and how it can be improved.
[ link to this | view in thread ]