Password Security Hard To Swallow

Passwords have to be the bane of modern life.  Along with Personal Identification Numbers (PINs) they must rank amongst the most evil of the necessarily evil  inventions known to mankind. 

Take PINs first - there's no end of people queuing up to take mine, judging by my spam folder.  I wouldn't mind, but I've just had one of those reminders from the bank - you know the one, asking who is banking with who?  Anyway, for something that has a mere ten thousand combinations, they don't half create some mayhem. 

We're encouraged to either use the number combinations provided by the card providers or to create our own while complying with some basic rules.  The first rule is to use the numbers provided by the card provider, for the simple reason that any guessable number combination is a pure coincidence.  To be fair, they are right and that's the best way to gather your card numbers, because mangling up your pet dog's date of birth is bound to become compromised sometime.

But we have so many of these darned cards these days and trying to remember all the relevant numbers for all of them is an almost impossible task.  In fact I tend to remember the shape rather than the numbers, so don't bother holding me up at knife point.  I might be able to draw you the PIN, if you get my drift, but it makes a mugging more like a game of Pictionary.  The weirdest number situation I found myself with a few years ago was two independent PINs sent by two separate banks that were identical.  I did run with those cards using the same PIN for a while, but inevitably one got compromised on PayPal and I forgot the other so now they are two completely different number sequences rattling around in my head along with all the others.

Then there's passwords.  General wisdom is at least eight characters, letter in mixed case, numbers and symbols, preferably a completely random collection.  Don't even think of writing them down anywhere, even in a code that GCHQ would struggle to crack, otherwise anything you use the password for is compromised and any losses are yours to absorb.  Don't forget to have a different password for each and every website you pass by now and then, plus your computer log in, that's right, those at work and at home.  And do change them at least once a month without reusing any.

I hate to point out that there are a finite number of such 8 digit passwords in the universe and currently I've used about half of them.

Google thinks there's a better way - well it seems clear that there are few worse options.  They've developed a tablet that interacts with your stomach acids to create a battery - that bit probably isn't too difficult although FDA registration is likely to be a bitch - they insist on a lot of documentation for anything like this.  I don't know if Google have considered the paper chase, but at least they've cracked the security, which is another FDA requirement.  Once the battery is up and running the pill uses the electricity to power an 18 bit code that can be used as a wireless password.  I'm guessing the pill interacts with some other part of the body's chemicals to create a unique signature but Google are being a little sketchy about that.  They don't mention how long the pill lasts for, either.  I don't fancy becoming a pill popping techno geek.  I don't even know what made Google think about Android tablets in the first place.

If popping pills isn't your idea of authentication fun - that sounds like some sort of adult party concept - then they've developed a method of authenticating using a tattoo.  For goodness sake, one minute we're told not to write the flipping things down, now Google want us to have them permanently painted on our ankles or butt.

Neither of these ideas are likely to feature in Google Android releases any time soon, according to the company - phew, I'm not sure I want 8 random letters, numbers and an obscure symbol that means infinity minus the number of cornflakes in my bowl this morning tattooed on a secure part of my body any more than I want to pop a pill every time I want to log onto my work account.

But Google do have one thing right in that we need to move on from collections of letters and numbers to authenticate our computers.  Conceivably our data is now more valuable than our savings and anyway the passwords and PINs give access to those anyway.  I'm not convinced I'll be slipping pills down my gullet any time soon but at least Google's thinking outside of the (pill) box.

------------------------------------------------------------------------------------

                                                          Visit my Book Website here

        Visit Project: Evil Website here                                        Visit DLF Website here

        Follow me on Twitter  - @RayASullivan

        Join me on Facebook -  use raysullivan.novels@yahoo.com to find me

Passwords Are Barking Up The Wrong Tree

There's an organisation called FIDO - yes, I know, it featured in at least one Scooby Doo episode and a couple of Tom and Jerry cartoons too - that wants to change the way we shop and interact generally with the internet.

You see, most on-line transactions are only relatively secure.  Sure, the retailers you use will have a secure server, there's encrypted messages and of course, your password.  I say password because most normal people have just the one, maybe two.  Because remembering Aunt Mabel's wedding anniversary and the title of the first film you ever saw in the cinema are difficult enough to remember.  Add another couple of random facts and your mind is going to meltdown.

In fact the industry would be rather pleased if everyone used passwords as complex as the one I've suggested - and if any wannabe hacker is looking up my family tree, I don't think I've ever had an Aunt Mabel.  I'd hate to waste your precious if illegally spent time.

But the reality is that remembering truly complex passwords - you know, random combinations of letters, numbers and punctuation marks - is hard work, especially if you have a lot of accounts out in cyberspace.  And it's not as though the holders of the secure servers have been immune to successful attacks over the last year or so.  Sony was hacked - that we know because they owned up.  There have been other high profile hacks recently, too.  My guess is not all organisations, when hacked, tell us.

This is where Michael Barratt, PayPal's Chief Information Officer comes in. Not content with working tirelessly at managing PayPal's information, he's also the president of the Fast Identity Online (FIDO) Alliance.

FIDO is keen to migrate us away from secure passwords because basically they're not really secure.  They note that while we may have a few very secure passwords we do have a habit of using them in a number of locations and therefore the password is only as secure as the least secure location.  They also realise that being mostly human, we'll continue to do this until we're all compromised.

So, what's better than a secure password?  No password, reckon FIDO.  They make the observation that most of us carry out our transactions on a limited number of devices - sure, you may hop onto a mate's iPad to bid for something on eBay once in a blue moon, but most of your online transactions will be on a finite and auditable number of computers.

They want us to migrate to FIDO enabled devices that use a combination of fingerprint matching, hardware tokens and USB memory sticks plus some trick software.  They've developed the standard and hope that FIDO enabled equipment will start shipping this year.

OK, details are necessarily scant, but for me I'm not wholly on-board.  I agree that passwords are an imperfect solution to the problem but I'm not convinced about the FIDO approach, either.  Fingerprints, while largely unique, are reproducible, hardware tokens sound like they will work until they won't, and that day will be the day I want to access my bank account, USB memory sticks are becoming persona non grata in many ways and software - don't talk to me about software.

There will be a way to solve this problem and biometrics will probably be part of it - as the FIDO fingerprint standard suggests - and I suspect that the solution will be simpler than the proposal.  I think FIDO do have a point about us using a finite number of devices and that insight is probably pure genius - maybe we will need a super password to access our stuff when away from any of our normal devices, but if a way of carrying out our transactions using our regular devices can be devised then that will make hacking harder.  After that it probably boils down to finding a sensible biometric we can use.  It may even be staring us in the face.

------------------------------------------------------------------------------------

                                                          Visit my Book Website here

        Visit Project: Evil Website here                                        Visit DLF Website here

        Follow me on Twitter  - @RayASullivan

        Join me on Facebook -  use raysullivan.novels@yahoo.com to find me

Hacked Off by Twitter

So, Twitter has been hacked and 250,000 Twitter accounts have been stolen by thieves described as professional and knowing what they are doing.  That's a relief, I worry about my personal details getting into amateur hands.

What are these thieves going to do with these Twitter accounts?  Well, given that there are approximately 450 million zillion Twitter accounts, of which only about ten percent are actually real, then first of all they're going to have to sort through them.  Some will be for pets and inanimate objects, many will be for the purpose of ranting at the world - hold that, most will be for ranting at the world, but some might be for real people who want to communicate.

Then, once they have worked out which ones are real, what then?  Well, they could try posting really witty, humorous tweets that will go viral.  This does happen in the real Twitter world but unfortunately it's a rare enough event as to make the occasional headline.

They could try shouting at people - buy my book, read my blog - you know the kind of stuff.  The upside is that nobody would notice the accounts had been hacked, the downside is that is what Twitter does already very well.

But what they could do, and this is serious, is they could try to use the hacked Twitter accounts to fool the recipients into launching dodgy websites that place malware and other nasty code on their computers.  Like that doesn't happen already - I've lost count of the number of direct tweets urging me to take a look at some alleged photo of me, LOL.  I guess, because like the vast majority of Twitter users I don't use it as actual social media but as a way of letting anyone who wants to know when my latest book or blog entry is released, I don't expect personal direct messages from my followers.  Plus, and I'm a realist in this, most of my followers do so out of the hope I will reciprocate and follow them (I tend to unless it's obviously a sales pitch account or a Daily Mail reader), in the vague hope that I will at some point read their book or blog entry (I do with some, in fact I use some to provide ideas for my own blog, and some are genuinely interesting tweets in their own right anyway).  But most I ignore, like most quite correctly ignore my tweets.

Now the guys and gals at Twitter are a pretty smart bunch - at least I couldn't put anything as slick together as they do so they are by definition, if at least collectively, smarter than me.  And I'm not totally stupid (I'm allowed at least one lie in every blog posting).  Anyway, they have identified the theft, unfortunately with the door swinging in the wind, and have alerted everyone who has a Twitter account (remember, that's lots of us) that 250,000 of the very many accounts that exist world-wide that their personal data has been nicked by thieves they describe as sophisticated and professional.  They have avoided giving anyone a clue as to who might be affected, so no matter where in the world or what your account name starting letter is, you'll just have to sit and worry that it's you.  And 249,999 others.

But they have told the world, which includes smart, sophisticated and professional thieves, that they will be sending a direct message to the 250,000 affected accounts, advising them to change their password.  Now this opens up two areas that will be of interest to thieves and scammers.  First, as they have the 250,000 account names they can pre-empt that message with one of their own that directs the affected people to a pretend Twitter page, let them change their details and, in a smart piece of finesse, then change the details with Twitter itself so that everything appears fixed to both ends.  Or they could leverage the fact that actually none of us know if the 250,000 accounts  are all located in one geographical area or could be narrowed down in some logical way.  Now I'm sure that any professional thief as accomplished as these appear to be can harvest a lot of the 450 million zillion Twitter accounts out there and send them all direct messages pretending to be from Twitter.  How would we know?  We don't know if we're on that finite but long list!

All I can say is that I haven't received a direct tweet since the theft, which probably means I'm not in the 250,000 accounts, so any direct tweet I receive now is likely to be from a scammer.  My advice is not to wait for the tweet, go to Twitter by your normal route, and change your password.  Now.

---------------------------------------------------------------------

I can, incredibly, be followed on Twitter - @RayASullivan  just b e prepared for me to shout about my books or blog entries, I'm working on the funny quip that will go viral, but please don't hold your breath.

or on Facebook - use raysullivan.novels@yahoo.com to find me

Why not take a look at my books and read up on my Biog here

Want to see what B L O'Feld is up to?  Take a look at his website here

Worried/Interested in the secretive world of DLFs?  Take a look at this website dedicated to DLFs here, if you dare!