Will Your Password Need A Password?

from the better-security dept

If you hadn't realized it already, simple username/password combos are a pretty weak form of security - yet they're pretty much all we have for many important online systems that store our most vital information. While there are other solutions out there, many companies (especially in the US) have been incredibly slow in adopting "two-factor authentication" systems that require a password plus something else - such as a onetime code generated by a device you have to have with you (or built into your computer). The idea, then, is that if your password is revealed, no one else has the device, so it's useless. If they find the device, they don't have your password, so it's useless. However, so far, many users don't value this additional security very much - and the devices still aren't all that cheap. Plus, many companies are worried that users will react negatively to such systems as it may slow down the user experience - causing them to look for other (albeit less secure) alternatives. Then, of course, there's the worry that people will start using such systems that aren't compatible with each other, so you'll need separate devices for every account - which would be much worse than before. Others, such as those in the fingerprint scanning business think a biometric approach makes much more sense - but that leads to all sorts of other questions and issues. Still, as there are more and more cases of fraud and identity theft due to so much weak security, it seems increasingly likely that companies will be forced to adopt more secure methods.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Ed Halley, 1 Jun 2004 @ 8:46am

    No Subject Given

    Gross generalization here: Users have no contextual understanding of how "security" works, and no real incentive to come to understand it, either. They'll follow procedures to get paid, but only if they actually see that they need to follow the procedures.

    Security is not a product, it is a process. You can't just layer on a coat of "security paint" and expect everything to be safe from intrusion.

    A good security training exercise is not to teach the users how to take care of their passwords or tokens, but to teach them how to attack a security system. From that mindset, they learn how to protect far more than just a password or a token.

    Show a couple of scenarios mixing physical, social and electronic attack. Then show a hypothetical system and discuss how the intruders could attack that system, and how it can be improved.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.