In his new entry The Curse of the Secret Question, Bruce Schneier offers some very interesting reflections on the security offered by passwords and the ’secret questions’ that many sites use to identify a customer that has lost his password. He summarizes:
Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.
Bruce talks about calling the customer service and proving his identity to them in some way. I had to do this with my bank too, once when I misstyped my password thrice. They connected me to their “security department” where they nicely asked me for data such as my ID number, my address and my birth date. In short, it was the telephone version of the “secret question”.
I just wonder, what other alternatives do we have? I fear that we do not have a better idea than passwords, yet.
3 comments ↓
hiiiii
Well, more and more alternatives to ‘old fashioned passwords’ are appearing: using fingerprints, those ID thigies you plug into the computer and, voil?É , you’re logged in, RFID (ugh), etc…
The problem, I guess, is interoperability. If you choose a certain way of identifying yourself with your machinery, will it work with everything? Will it work on every machine you have access to? Will it be easy to use? Sadly, I think the answer to these questions is NO; it will work only in some machines, only with some particular software & hardware, only on a particular OS….
Now, I know some people are perfectly happy with one of those new ThinkPads with a fingerprint reader; yet I’m not sure I would be. Yeah, it would be cool to use it, but would it work with Linux? If the software got -somehow- corrupted would I have a way to (a) log into the computer (b) fix it? etc… I must also admit I’m quite reluctant to embrace new technologies that require a significant investment just to try them out.
So, it seems we’re stuck with good old fashioned passwords for a while.
And passwords are not perfect, far from it. Yes, they can be secured if the user understands (and cares about) the dangers / issues related to using passwords to protect sensitive content … but I guess we’ve all seen things that make those of us who are tech-savy shake our heads: passwords like “12345″, using the same simple password for sensitive accounts and stupid web accounts, password = login, etc etc…
No matter how well thought of your security scheme is, the weakest link will allways be the user.
It does seem that we will be stuck with passwords for a while, yes. And yet, we all agree that they are not a great security scheme. The amount of passwords we need nowadays makes it nearly impossible to avoid password reuse or using bad passwords. Software like Password Safe makes it a bit easier to cope with passwords, but introduces a hairy single point of failure.
I know it is difficult, but I still hope that we will soon find a better alternative to user identification than passwords.
Leave a Comment