[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <04Apr21.085300cest.118191@fd.hif.hu>
From: adam at hif.hu (Szilveszter Adam)
Subject: Passwords for Chocolate!
Jeremiah Cornelius wrote:
> "All because the Lady loves Milk Tray..." The BBC has an article about
> users giving up their passwords for chocolate.
Hehehehe, I really got a kick outta this. It really goes a long way to
show why you do *not* need to go very fancy with technology to eg attack
strong crypto: quite often you ask and you shall receive the info,
dammit. But that of course takes out the geek fun part.
But with that said, think of this: If you meet some pollsters on the
street, who ask you anonymous questions, what exactly do you risk by
giving out info that they will not be able to use? After all, in order
to use it they already must know who you are etc, in which case we are
already talking a targetted social engineering attack, not some random
street poll.
Also, think about it: Why not give something resembling a password if
they offer you some good chock? I mean, wouldn't you? I surely would: Oh
yeah, my login is "uberhax0r" and my pass is "Y0u GuYZ SuKk!" and
collect my king size. ;-)
As for ID theft: I know that this is big in some countries right now,
but I suspect that in some sense they are getting their money's worth
when they failed to implement proper data protection legislation and
practices in order not to hamper the "freedom of expression" of some
direct-marketing and credit-reporting agencies... that is, the real
problem is that already waaay too much data is out there about you and
often the only missing link was a quick-enough technology to link them
all. This is why proper data protection starts with the premise: "Only
collect and handle the data that is absolutely necessary, and only to
the extent absolutely necessary, and delete it right aftewards". Of
course, this causes some inconvenience and/or makes some business models
harder to pursue, but imho this is an acceptable price to pay. Data like
your date of birth or mother's name are all so common identifiers that
requiring people to keep them secret to prevent ID theft is ridiculous.
The key is to keep all the other data restricted that would enable
somebody to profile you, and to prevent unauthorized storage and
movement of your data.
Corollary: you should not believe everything you read in surveys,
especially ones that are sponsored by RSA Security to push their SecurID
solutions. (which will *not* help you with websites outside your company
like your webmail etc anyway)
On a more serious note, good password management has always been a dance
on the edge: give too many and too random passwords, and people *will*
write them down, often in insecure places. Use less or less random ones,
and you risk a more feasible brute force attack. What is appropriate
depends on the situation. In some cases, a password written down and
stored in the person's wallet which they will guard very closely for
obvious reasons is better than an easily guessed word in memory or a
Post-It on the monitor, in others, the wallet is exactly the wrong place
(like for debit and credit card PINs). Also trusting only one measure of
protection (good pwd policy) is not sufficient. If, in order to use the
password stolen, you also need to get physically inside a building, find
the appropriate office and get in there uncaught, that raises the bar.
If all you need is to go to a website and enter the info, that is a
different matter. etc.
The question that the RSA guys (and other lovers of one-size-fits-all
smart card etc solutions) need to ask of themselves is this: what is
worse: a pwd that possibly (but not surely) relies on some personal info
but you do not know which one and therefore stand a chance of getting
nailed with your unsusccessful login attempts, or a smart card or other
device getting lost with the PIN or other acivation info neatly written
on it or somewhere near it. (like a keyring that people like wearing on
some strap around their necks or loosely stuffed into their pockets with
the strap hanging out. This fashion item is getting mucho use here in
town atm. And people not only hang their normal keys on it but also
card-keys and/or mobile phones. Which clearly shows the level of
frustration people have with regard to the many keys etc that they have
to carry and remember in life.)
And no, biometry is not the answer either, at least not a conclusive
one. I certainly would not trust it to make the final decision, unless
the "biometry" is the receptionist flashing me a broad smile and a Hello
on my way in. :-)
As usual, my HUF 0.02.
Regards:
Sz.
Powered by blists - more mailing lists