Thursday 30 August 2012

Password pain

Continuing from yesterday's security there, I'm going to pick up on two real pain points: passwords today and captchas tomorrow. Workers in IT will have literally hundreds of them to use on everything from wifi access points to secure rooms containing building security back office machines. There's no way they can store them all hence the rise in apps that help store passwords hopefully securely. Prior to that people wrote them down or kept them in text files.

A long time ago when working on steam-driven machines we had to use double, 16-character automatically generated passwords that changed every two weeks, usually on five to ten dev and test systems. (It was a hardware company, we had lots and lots of toys.) The only way was to keep them stored somewhere and the most common solution was the equivalent of Notepad and then copy/past them into the remote logins. Hopefully nowadays people in equivalent positions use KeePass.

Normal people, on the other hand, probably don't know about such tools or, more importantly, realise they need them. I doubt we've moved much forward from the scene in 1983's WarGames where the school secretary keeps a list of passwords in her desk drawer.

While normal users are probably aware that they should not use obvious passwords and all the rest, they probably don't know why. Probably just as well if they did they would probably avoid the services.

On the other hand maybe they should know. I registered on a well-known ERP vendor's website to access some reports yesterday - it asked for a 6 to 8 letter password, letters and numerals only. And you want people to spend millions on big backends based on clearly a VARCHAR(8) password store?

But my least favourite of all these systems are the partial passwords used by financial companies, most notably as part of the 3-D Secure from Visa and MasterCard. These ask for different letters of your password, usually giving away the length of the password at the same time: please enter the third, fiftth and tenth letter of your password. I defy anyone with a decent password to be able to do that without writing it down first, blowing away the shoulder surfing risk reduction. Meaning that your password is now available to snoopers at both the consumer end and the backend where it can only be stored in cleartext to allow a check of that nature. And that means it is only as secure as the vetting process on the database engineering team.

The only glimmer of hope in this arena is the growing use of Facebook, Twitter, Google and others as means of logging people in without the need for the entry of passwords. Facebook offers really good authentication due to its vast collection of photos that it will require you to identify. Google offers two-factor authentication with mobile which is inconvenient but reasonably secure. While Twitter hasn't quite reached those levels yet; at least there don't seem to be any exploits.

Sounds mad that a social media platform is more secure than the banks, but there you have it. Perhaps your internet banking service should authenticate with Facebook. Stranger things have happened.

No comments:

Post a Comment