Jeff's InfoSec Blog

Thoughts about information security, privacy, and regulatory compliance. Brought to you by Jeff Newfeld, the product unit manager for security solutions in Microsoft's Core Infrastructure Solutions group.

Blogs

OK, passwords are so 20th century and have to go!

  • Comments 497
  • Likes

This article (Protect passwords? Not if latte is free) was passed on to me from a colleague who also saw the irony in this.  I would say that we're 3 years too late in making 2-factor auth a base part of computing.  This makes identity theft almost too easy... fish in a barrel. 

What do you do to keep your passwords secure?  Use the same one everywhere?  Write them down?  Keep them in your cell phone? None of these are great options. 

The alternative is a something that you need to carry around.  Any ideas on what could work?  Iris and fingerprint scanners still aren't reliable enough (in the home market).  Smartcards would work, as would token generators such as those sold by RSA and others.  But equally important is who the issuer is.  Because I don't want 20 fobs hanging off of my keychain, I want one or two to cover every site that I visit. 

Comments
  • Ah that old chestnut - password security. <br> <br>So now it's a free latte? The last survey I heard about it was for a free chocolate bar (and the vast majority of people handed over their p/w without any quarms!). <br> <br>This is going to be one of those things that I don't think will be resolved in the near future.

  • I discussed one mechanism to avoid the multiple token &quot;necklace&quot; problem in the latest issue of the ACM's RISKS Digest [v.23, issue 86]. &quot;E*TRADE and SecurID&quot; is a rambling response to a critque of E*TRADE's recent implementation of two-factor authentication, but one section describes the RSA Authentication Service that RSA Security is developing in conjunction with E*TRADE, the 3rd largest online brokerage, and other RSA customers in financial services. I'd be interested in your thoughts on the project, and the service which will be offered commercially in a couple of months. <br> <br>See: <br>&lt;<a rel="nofollow" target="_new" href="http://catless.ncl.ac.uk/Risks/23.86.html#subj5&gt;">http://catless.ncl.ac.uk/Risks/23.86.html#subj5&gt;</a>. <br> <br>Suerte, <br> _Vin

  • Vin -- <br> <br>Thanks for the post on the necklace problem. In your article you mention that (in your example) E*Trade would post on their web site that they accept BigBank's SecurID device. My point is that these point-to-point approaches don't work, unless BigBank saw issuing identity as a business opportunity and was incented to widely promote it. But even then, vendors like E*Trade would need to create relationships with dozens of banks to be effective.

  • Best of the text i read about a problem.

  • We are wellocme to it's configuration.

  • Wellcome to the real world.

  • Very many thanks for a good work. Nice and useful. Like it!

  • Very interesting.

  • Good Site .Nice work.

  • great site

  • &lt;a href=&quot; <a rel="nofollow" target="_new" href="http://xanax.spond.info/buy-xanax-online.html">http://xanax.spond.info/buy-xanax-online.html</a> &quot;&gt;buy xanax online&lt;/a&gt;

  • &lt;a href=&quot; <a rel="nofollow" target="_new" href="http://xanax.spond.info/buy-xanax-online.html">http://xanax.spond.info/buy-xanax-online.html</a> &quot;&gt;buy xanax online&lt;/a&gt;

  • Very interesting.

  • good site

  • Very interesting.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment