Tuesday, 1 September 2015

Halt and give the password!

Passwords are such a pain, aren't they?

Several recent incidents have prompted me to scribble a few thoughts on the subject. Firstly, there was the infamous Ashley Madison hack (not that any of my readers are likely to have joined that rather dubious website). It's not so much the details of who the users are, but the information that's come out about passwords. It seems that the most popular passwords are 'Password' and '1234' - these are not exactly strong passwords. Of course in this case it may mean that the users were just creating throw-away accounts, with fake names etc, so weren't too fussed about security. But other website hacks have shown similar results.

Surely by now people should understand about having strong passwords? Or, even better, using 2-factor authentication when it's available? Some websites now actually show how good a password is when you choose one - some, but not all. It's still no excuse for using the name of your pet pussy-cat instead of p1nk56bananA#!  (And don't start me on websites that don't allow special characters like #@£& etc. in passwords!)

But, you say, how do I remember all of my passwords? Should I use the same (strong) password for every website? NOOOOO! And please don't start me on the wisdom of those stupid sites that say 'log in with your Facebook account' - what a brilliant idea! Use the same password for every website - then life will be so much simpler for the hackers. Obviously, you must have a different password for every site.

So, again, how to remember them all? That's where password managers in your browser come in handy - they can securely remember all your passwords - just make sure that you set a master password to stop anyone browsing through them all (and have a nice, strong, unique master password, not 'fluffypaws')

Password managers are great. But unfortunately there are a few idiots out there who disagree. The Welsh Government have recently decided that users of their 'Sell2Wales' tender management website can't use a password manager 'for security reasons' - I assume that they feel that having the password on a post-it note stuck to the computer is more secure. They seem to be under the impression that no-one uses any website other than theirs, and will have no problem remembering a password for a site they perhaps visit once a month. Or perhaps they want people to use their Facebook password?  Why do the taxpayers of Wales have to pay for this sort of 'advice'?

I'd say 'roll on fingerprint ID', but that's even worse. There is a key difference between passwords and biometric ID. User name+password identifies the user of a website as someone authorised to use the website, but doesn't actually identify the person or allow them to be linked to login data from other websites (Facebook please note) and the subsequent data mining. You can use totally different names, dates of birth, address, e-mail etc for every website. Biometric ID is very very different - it identifies you as a unique human being, and allows all sorts of dodgy data analysis. No thanks. For me, I'd like to see a much wider roll-out of 2-factor authentication - security combined with privacy.

No comments:

Post a Comment