Passwords and Secret Questions
Posted by Doug Fri, 11 Feb 2005 14:49:00 GMT
Bruce Schneier has another good article on The Curse of the Secret Question. He basically argues that sites using a backup “secret question” are eliminating the value of good passwords. Attackers can work on the probably public and more easily guess-able secret question. He boils it down (as he usually does) to the security trade-off: easier customer service versus strong security. OK, I can see this is a problem. What bothers me is the conclusion he draws:Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.If passwords are dead, what’s the alternative? Biometrics? I understand that managing passwords is hard. I use Mac OS X’s keychain system to manage all of mine. I like that my browser can remember it all. There are still problems though. Some sites have decided not to let my browser remember the passwords to their site. There’s a tag that can make my browser not use it’s remembrance features. Also, the keychain UI isn’t really designed for the user to spend much time browsing in there. As an ISP, I deal with customer issues somewhat frequently of forgotten passwords. I guess my point is I don’t know what’s best to do about passwords either. I like the idea of one central place for everything I access to authenticate against. I don’t like the idea of that central authentication mechanism being out of my control (like Microsoft having the passport database of all my personal information to dole out to web sites and a list of sites that I have accounts with). So called “phishing” attacks are efforts of unscrupulous people trying to trick you into giving them information they can use to gain access to financial data (like your paypal account name and password). All of these attacks boil down to stealing authentication information. It’s a big problem and getting bigger. I think good authentication may be one of the biggest challenges we face today.
