Will Your Password Need A Password?
from the better-security dept
If you hadn’t realized it already, simple username/password combos are a pretty weak form of security – yet they’re pretty much all we have for many important online systems that store our most vital information. While there are other solutions out there, many companies (especially in the US) have been incredibly slow in adopting “two-factor authentication” systems that require a password plus something else – such as a onetime code generated by a device you have to have with you (or built into your computer). The idea, then, is that if your password is revealed, no one else has the device, so it’s useless. If they find the device, they don’t have your password, so it’s useless. However, so far, many users don’t value this additional security very much – and the devices still aren’t all that cheap. Plus, many companies are worried that users will react negatively to such systems as it may slow down the user experience – causing them to look for other (albeit less secure) alternatives. Then, of course, there’s the worry that people will start using such systems that aren’t compatible with each other, so you’ll need separate devices for every account – which would be much worse than before. Others, such as those in the fingerprint scanning business think a biometric approach makes much more sense – but that leads to all sorts of other questions and issues. Still, as there are more and more cases of fraud and identity theft due to so much weak security, it seems increasingly likely that companies will be forced to adopt more secure methods.
Comments on “Will Your Password Need A Password?”
No Subject Given
Gross generalization here: Users have no contextual understanding of how “security” works, and no real incentive to come to understand it, either. They’ll follow procedures to get paid, but only if they actually see that they need to follow the procedures.
Security is not a product, it is a process. You can’t just layer on a coat of “security paint” and expect everything to be safe from intrusion.
A good security training exercise is not to teach the users how to take care of their passwords or tokens, but to teach them how to attack a security system. From that mindset, they learn how to protect far more than just a password or a token.
Show a couple of scenarios mixing physical, social and electronic attack. Then show a hypothetical system and discuss how the intruders could attack that system, and how it can be improved.