Google
 

Friday, September 5, 2008

Password is outdated, obtain new safety key.

The best password is a long, nonsensical string of letters, numbers and punctuation marks – a combination never put together before.

 

Some admirable people actually do memories random strings of characters for their passwords – and replace them with other random strings every couple of months.

 

Then there are the rest of us, selecting the short, the familiar and the easiest to remember.  And holding on to it forever.

 

Security.

 

Computer security experts say choosing hard-to-guess passwords would not keep us safe from identity theft, no matter how clever we are in choosing them.

 

 That would be the case even if we had done a better job of listening to instructions.  Surveys show that we have remained stubbornly fond of perennial favorites such as “password, 12345678, and LetMeIn”.  However, the underlying problem is not their simplicity.

 

It is the log-on procedure itself, in which we land on a web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity.  This procedure - which now seems perfectly natural because we have been trained to repeat it so much – is a bad idea, one that no security expert would defend.

 

Getting tricked.

 

Password-based log-ons are susceptible to being compromised in any number of ways.  Phishers trick us into clinking to a site designed to mimic a legitimate one in order to harvest our log-on information.  Once we have been suckered at one site and our password purloined, it can be tried at other sites.

 

The solution urged by experts is to abandon passwords – and to move to a fundamentally deferent model, one in which humans plays little or no part in logging on.

 

Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.

 

As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a website.  The click starts a handshake between machines that relies on hard-to-crack cryptographic code.

 

And that is only half the battle: Website hosts must also be persuaded to adopt information-card technology for sign-ons.

 

Large distraction.

 

We would not make, however, much progress on information cards because of wasted energy and attention devoted to a large distraction, the open ID initiative.  Open ID promotes “Single Sign-On” – with it, logging onto one open ID website with one password will grant entry during that session to all websites that accept open ID credentials.

 

Unlearning the habit of typing a password into a box on a web page will take a long while but it is needed for our own protection.

 

No comments:

Google