This week in security assessment news, I decided to write about Entrepreneur’s article titled “Passwords Are Scarily Insecure. Here Are A Few Safer Alternatives”. I choose this article this week not because this information presented in the article was a revelation to me, but how it appears that this movement of going away from passwords has not really caught fire like you would think. The article points out that passwords innately suffer from two different kinds of problems. One being that when people create passwords, they usually create a weak, or very easy to guess, passwords. Some sites and systems now required a minimum character limit, mixing numbers, letters and punctuation, however these types of requirements are the exception, and not the rule. The next problem passwords have is they are extremely easy to steal from someone. Whether through virus or worms, or simply “impersonating someone you know or trust to gain login information or personal details” (Rafaeli, 2018), this makes passwords simply not reliable. The article then covers several different alternatives that I will talk about, in more detail.
The first alternative offered by the site is the idea of security tokens. These tokens can generate a password based on a “seed record” (Rafaeli, 2018) that will need to be inserted into a login screen. This form of authentication, at this point, is still coupled with a password retrieved from the user as an extra form of security. These tokens are a great alternative as the only way someone would be able to ‘guess’ the password would be to have the device in their own hand. Without it, it would be near impossible to do. While this method is a drastic improvement over regular passwords, it does carry some problems. First, it’s a very expensive method to offer security as physical devices will need to be purchased and distributed to users. It also means that these tokens need to be carried with the users at all times, if they wish to login with it.
The next alternative offered by the site is the idea of biometrics, or a security device that uses fingerprints or facial scans to determine if you are who you say you are. The article mentions that “a fingerprint, for instance, can’t be lost or hacked” (Rafaeli, 2018). This is incredibly useful as a form of authentication as they are relatively quick to complete and user friendly. While this form of authentication is catching on quickly, it is still prone to problems, much like other authentications. The first of it being that it’s not entirely accurate all the time. The technology is still coming along in this area and more advances need to be done. The other area is that should whomever you are authenticating against gets hacked, it is possible for the hackers to steal vital biometric data that can be used for more nefarious things.
Lastly, the site covered phone-based authenticators. This is the latest in the growing authentication security market, and has some of best potential on all of the other methods. This operates by installing an app on your phone and connecting it to your account. When someone tries to log in with your username on a system, you would receive a notification on your phone. From there, you might have to enter a one-time password that would be generated on your phone, or simply authorize the login. I have some personal experience with these type of authenticators as I have 3 of them to satisfy requirements from several games I play. It’s curious that such high security measures are in place for simple games I play, but not for say my bank.
Overall this article was really good in breaking everything down. When offered, you should consider using an alternative authentication methods over passwords. While not entirely foolproof, they make it hard enough that you won’t be a constant victim.
Sources Cited: Rafaeli, R. (2018, March 7). Passwords Are Scarily Insecure. Here Are a Few Safer Alternatives. Retrieved March 29, 2018, from https://www.entrepreneur.com/article/309054
No comments:
Post a Comment