Monday, August 30, 2010

Is Your Password Easily Accessible?

Is it just me or do other people have problems with passwords? One of the side effects of the internet is that we now need a vast array of passwords to access the different sites from Amazon to PayPal and everything in between.

Now here’s the thing can you have one password for accessing all these different sites? Of course not, can’t you hear the security experts screaming in your ear but actually you really don’t want that many. I have a simple strategy that I don’t mind sharing with you, there is the very secure password for the bank and PayPal and then there is the floppy password for all those sites that really don’t matter. If you can break into my wine account (no credit card stored) and change my preferences then frankly I really don’t care.

However you know what I’m about to say, real life is not like this. All these different web sites have different password strategies, no less than 8 characters, must have a number, must have a non alpha/number character, must be numeric only, it goes on and on. Well just last week I met the ultimate condition, no consecutive numbers, even just 2, up or down. Now I think my brain is starting to hurt, what nutcase decided that? In any random sequence of numbers there are bound to be consecutive numbers in one direction or the other, for my mathematical friends what are the odds in a sequence of 8 digits that at least 2 digits are consecutive? So of course you end up having to write them down, somewhere that you can lay your hands on in a hurry.

In the old days we all used to carry around those little booklet things called diaries, but now relegated to the museum we have electronic diaries in the form of mobile phones. Do you remember the Palm Pilot? Oh I felt so up to date when I first got one of those but now it’s the iPhone (just wanted to drop that in, it’s only the iPhone 3, you can guess who’s upgraded to iPhone 4).

I wouldn’t want my phone to be stolen, it stores far too much personal data. Probably all the data should be encrypted which is of course only as good as the password. But very few people seem to have their phones in encrypted mode?

Anyway all this came to mind this week when reading about the iTunes and PayPal hack with lots of people complaining about having their PayPal accounts emptied. There is not absolute clarity on exactly what has happened but the stories seem to be consistent that the hack has happened through iTunes and that somehow the fraudsters have managed to get hold of a number of iTunes account details/passwords and have then gone around doing loads of downloads funded through iTunes against PayPal. Both PayPal and iTunes have denied their systems are broken, PayPal has specifically stated that they are unaware of any account breaches on their system. iTunes have been a little more cautious suggesting that if your password has been stolen you should change it right away. Others have suggested that maybe the iTunes users were subject to some Phishing scam that resulted in the loss of their account details including the password.

Now what ever happened to 2-Factor Authentication? Just a few years ago it was on everybody’s lips it was only a matter of time before we would all be carrying a smart card or token that acted to give us secure authentication into whatever sites we were registered. It’s all gone quiet and yet the problems with passwords have never been more rampant. Just think about it, one smart card or token, one password for access to the smart card and hey presto you can log in securely to any web site. But more to the point the hacker without access to your smart card and password is permanently locked out, no more Phishing!

Am I missing something here?


No comments:

Post a Comment