In my efforts to move my web-site, I ended up in a conversation regarding securing the site’s logins. Meanwhile, I also read an article that addressed the issue. Both had some focus on passwords that I thought interesting.
In the conversation with my new hosting company’s representative regarding ways to secure my site, they discussed issues beyond ordinary passwords, such as two-factor authentication and keys as being things to focus on. If you don’t know what I mean by a “key” think of the RSA keys the big companies use when you’re logging into their systems. They hand you some kind of random number generator to use as part of your login. In some cases, a key is created for a specific machine’s verification beyond the passwords we think we depend on.
Meanwhile, I was reading my latest copy (Volume 59, Number 11) of “Communications of the ACM” (Association of Computing Machinery) and ran across the article “Pushing on String: “The ‘Don’t are’ Region of Password Strength” which gave yet another bit of information about passwords. It talked about how complex password rules aren’t the be-all, end-all for security. For one, the effectiveness of this tactic is limited depending on whether the threats are from the on-line or the off-line community. For another, it assumes the problems have to do with the passwords. For example, if someone can steal your actual passwords, the strength doesn’t matter.
Finally
There are many things we can do to secure our systems. While companies seem to be advancing toward more and more complex passwords, one has to hope they don’t think this is going to protect their systems. Hopefully, they understand what their true risks are and are addressing those, as well.
As for my new web-site, while I do have accounts password-protected (and not with my birthday, age, favorite food or anything else easily-guessed), it’s not one of the super-long, super-cryptic ones, either. It’s not that difficult to consider using other types of security measures, as well, even for companies of my size. There are a wide variety of choices and affordable ones to give us all practical security alternatives.
Gloria Metrick
GeoMetrick Enterprises
http://www.GeoMetrick.com/
You should check out: https://www.grc.com/sqrl/sqrl.htm
get away from passwords entirely. Part of the problem is relying on a website to keep your secret. You keep the secret. It’s your responsibility.
Greg
Greg, with its QR code, that’s an interesting way to authenticate. It’s another variation of the key except I think that this link says the code is specific to the user where we sometimes consider the key being specific to the machine.
It’s unique to you (they secret key you created) and the website by way of encryption.
[…] made a post regarding security in Passwords – Not the Ultimate Security Tool. Today, I want to speak about having your system ransomed back to […]