The Illusion Of Online Security
http://thedianerehmshow.org/shows/2012-12-05/illusion-online-security
The age of passwords is over. That’s the claim made in this month’s "Wired" magazine. Most of us trust that a string of letters, numbers and characters is enough to protect our bank accounts, email and credit cards. But hackers are breaking into computer systems and hosts of user names and passwords on the Web with increasing regularity. And because so much of our personal information is stored in the cloud, hackers can trick customer service agents into resetting passwords. Some Internet companies say the trade-offs -- convenience and privacy –- are necessary to protect our data. Privacy advocates say that price is too high. Diane and her guests discuss the illusion of online security and whether you can make your accounts harder to crack.
Guests
Simon Davies
founder of Privacy International.
Cecilia Kang
technology reporter for the Washington Post.
Kevin Mitnick
information security expert and former hacker.
Comments
Please familiarize yourself with our Code of Conduct and Terms of Use before posting your comments.
Excellent topic Diane.
First off, enterprises may talk of balancing convenience and privacy but the truth is it is convienent for them to risk our privacy.
Security questions are a problem, just ask Sarah Palin. To prevent access to my accounts via this route I append a short series of letters and numbers, only known to me, to my answers.
I am particuraly annoyed by the lack of consistancy applied by the banking industry relating to password complexity. One bank will allow 6-10 chars, alphanumeric only, whereas another will require min 10 chars, of high complexity. A common standard should be adopted that would allow pass phrases. Long complex passwords weaken security as people will then write them down, putting themselves at risk; Richard Fenyman running around the Los Alomos labs safe-cracking springs to mind here. He either found the PW written close by or found the combination was at the factory default, ah, the good old days...
I don't bank online.
The main lessons I have learned about passwords is longer is better for passwords, use all four character sets- uppercase, lowercase, numbers and special characters and avoid dictionary words in any language. This is a handy tool for accessing how vulnerable a password is to a random brute force attack. https://www.grc.com/haystack.htm
I use Last Pass to generate and remember passwords that I can't remember but are as secure as I can make them.
It's an honor to hear Kevin Mitnick's voice after the way the government treated him during his incarceration.
Isn't it too soon to say, "The age of passwords is over"? It's not as though fingerprint authentication or other biometric authentication is common at this point. Passwords remain the primary access control. If it's over, what has replaced it and what is the new norm? It may be ending, but it's going to be a long process.
If I use the windows on-screen-keyboard app, will that prevent bad guys from getting my username and password when I login to secure login sites (https)?
While I am intimately aware of the security risks of using weak passwords and using the same passwords across multiple logins, I am suffering from password fatigue. One site requires one method, another uses something completely different - and honestly, I just don't care anymore.
I have had enough of every site requiring a login (including this one).
When will be able to use our thumbprint as a login and security measure for the Internet?
A difficulty I have is not being able to see my passport as I type it. Just a series of dots means I don't know exactly what I typed. It is so easy to make a simple mistake! The vast majority of the time there is no one to look over my shoulder. Is there no possibility of using readable passwords?
Why not discuss some of the real alternatives that are available on many sites today? The most security-conscious sites implement optional two-factor authentication like a mobile authenticator. If major banks were truly serious about protecting your security, all of them would have a smart phone app generating a time-cycled authentication code to use in addition to your password.
Using a password manager software is necessary , since we all have multiple password. I wonder though, if it allows us to access the accounts without using the password manager, once we starteg using them.
When doing anything sensitive online (banking, trading...) I use a dedicated PC that does ONLY that and only goes do very few banking web sites, no email, nothing else and only ONE user. Keep your old PC for that (with a new hard drive though), no need for a lot of computing power for these tasks. Still complex random unrelated passwords ("home made") are a must as well as good security software.
What do you think about storing passwords on Fill forms/ My Last Pass Vault?
Carla Brazil - Dallas, Tx
What all your guests are saying is don't make it easy. If they want to get to your data through the front door, at least raise the chance of them getting caught.
Can you have the experts comment on windows vs Apple machines security on password manegement and browsers.
The discussion seems to be focused almost entirely on Prevention. When I was in Counter Intelligence, we were taught that not only multiple layers of preventive security were needed, but they were only delaying devices, and needed to be supplemented by frequent Detection security rounds.
Hello, great show!! This past weekend I was looking on eBay for a cell phone and got a great price but when he sent me the info he needed to send the phone I wanted:
- I must have an upgrade availability and to confirm he wants
- last 4 digits of my SS
- acct # to my cell phone acct
- password to my cell phone acct
- email addy
- he wanted me to call him
I responded to him via eBay that people must be out of their minds to give him that info.
You know that he's been doing this on eBay since 2006 and has over 4000 positive feedback. You have to know he must be selling this info to someone!!!
thanks for your response
On iPhone one can use a four number password for access. If this number is not entered in ten tries all of ones data can be erased. Does this not make it reasonably safe to keep ones passwords in the iPhone notes "app"?
Tuned in late today, but this has something to do with security and can maybe be used on another show. (love your show by the way) Why is it that you need a pin number for debit, but not for a credit card? If a credit card is stolen, anyone can use it just about anywhere. At Target and Walmart, you just swipe and go. Anyone could order anything online because you have the 3 digit code on back of the card. If a pin was needed, it would be useless to steal a credit card. Why hasn't Master Card or Visa thought of this??? Seems so logical to me. Thanks.
Another fearmongering and impractical discussion about something the average person has no time for or control over. Things are this way because corporatism is predation. We can have no individual security or privacy under such a regime. In Egypt this would spark revolution, but here it is accepted. We are passive receptive ruminants.
I pass!
One of your guests today on computer security mentioned a free download to check your computers for vulnerability. I was driving at the time and was not able to write this suggestion down. Please respond to this request by Facebook so I can get that information. Thank you.
It is important to remember that the safest computer is one that is not even plugged in, and is locked in a safe. It is also the useless. The most useful computer is on the internet and has no security and is the most vulnerable. What one must decide is where along the usability/security curve works for them.
Thanks for the article. We all need to be more proactive about our personal account security. I agree that passwords should be a thing of the past. The fact that we are still living in a password ruled world is frustrating. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. The only real solution is to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.
Your guests mentioned several different software program for password security. Would it be possible for you to post the names/links for the software discussed in the show?