There has been a lot of talk recently about online password security. It seems that a lot of people are still using really easy passwords and even more people write down their passwords. This is apparently a major problem. As a solution,”experts” are tossing around some “new” ideas like passphrases and multiple security keys. [i’ve been meaning to write this update for a few weeks now and can no longer find the articles was reading. you’ll have to take my word for this – it’s been all over the internet, seriously] Passphrases, essentially passwords with greater minimum length requirement, are the next logical step up from passwords. Passphrases are a good idea. They’re longer and therefore much harder to crack using brute force (is brute force even a legitimate concern anymore?). Also, users would generally have an easier time remembering a phrase like “go go gadget,” than “98xgE!z” or other cryptic combinations of characters required for a secure password. If it’s easier to remember, maybe people won’t write it down, or so the theory goes.
The idea of multiple security keys is probably already in use by the military and security conscious banks. This authentication method requires a static key, and a rotating key. The static key could be a standard password, biometrics or whatnot. The rotating key is securely transmitted to the users. Also a very good idea. One major issue is the transmission of the rotating key. How do you ensure the key is not being requested by a fraudulent party? Probably by asking for more verification information. For instance, a bank website could employ this method. They could require you to call a phone line requesting further information (bank account #, SIN, etc) before releasing the rotating key. I doubt that something like this will ever be launched, or at least not until 100% of the population is “computer literate.”
All that said, the signal most overlooked security hole on the internets today has got to be “secret” questions. Probably popularized by hotmail (at least this is the first place i recall seeing them) a number of years ago, they are now even used by some ISPs. The questions are always something like “mother’s maiden name,” “favorite pet,” “shoe size.” In theory, secret questions are reasonably secure, they are not supposed to be common knowledge. “Secret” is really a euphemism for “difficult to know.”
In practice, most every secret question is something that could easily come up in conversation and/or a fairly common question that someone – even a stranger – might ask out of the blue. Making secret questions extremely ridiculously easy to “social engineer” out of people.
In conclusion, don’t use services that require secret questions, if you have to fill the answer with gibberish.
I started writing this post a week ago, and I don’t recall exactly where i was going with this…