Password Resetting Considered Harmful - duh!

September 1st 2008

It used to be that the default password was your mother’s maiden name, your SSN, your birthdate, or something like that. Now you have to pick a password, and your ‘password recovery’ questions are based on those old stand-by questions. So you can still break in to a person’s accounts by answering those classic questions.

There have been some interesting recent reports about the use of personal questions for password resetting, and Bob Sullivan has summarized them in a recent posting.

This problem will only disappear over time, as people learn how NOT to lose security credentials. Continue Reading »

Posted under Information Security | No Comments »

Passwords, Open ID, and “Information Cards”

August 12th 2008

Randall Stross/Digital Domain has posted a NYT story on passwords, Open ID, and Information Cards.

The “Information Card Foundation” is only a few weeks old, and the technique is trying to solve problems with both passwords and with Open ID. The posting roasts the old chestnuts about how bad passwords are (does anyone really need convincing?), then roasts Open ID a bit, and then introduces Information Cards, a slightly more flexible but still vulnerable technology.

Personally, I’m not convinced that Information Cards are any safer or easier to use than Open ID can be.

Continue Reading »

Posted under Information Security | 1 Comment »

Six Minute History of Information Security

August 3rd 2008

I have been reading the ACM’s Model Curriculum on Information Technology (a prototype “IT” major) with a special eye towards the information security coverage. I’ve been teaching information security courses and recently developed a major in the area.

The curriculum provides minimum times to cover major topics in the field, like 3 hours to cover “Fundamental Aspects” including the “history” of information assurance and security. After factoring out the other dozen ‘learning outcomes’ for that topic, one is left with six minutes to cover the “history” of information security. Continue Reading »

Posted under History of Technology & Information Security | No Comments »

Mixed Bag: Lifehacker’s Top 10 Computer Annoyances

July 17th 2008

There’s some terrific stuff here. Unfortunately, it’s packaged with Internet-based password selection.

Get it straight: you’re only supposed to share your passwords with yourself and your keyboard. You aren’t supposed to ask your astrologer for one, or collect one from someone on the bus, or at a cocktail party. And never, ever from an Internet web site.

read more

Posted under Information Security | No Comments »

Next »