Zoli has this great post discussing seciurity and password issues for web users. Like Zoli, I’m just like 61% of Internet users, using the same userid/password combination on all my sites. Recently we were visited by an old freind who has been working within banks in their IT departments. When discussing this with her, she responded with incredulity stating that banks themselves are some of the least secure IT environments and one shouldn’t be confident that the password one uses for internet banking is really secure.

Of course all this plays into the hands of the single sign on proponents, who claim that the only real way to have an easy and secure system is to sign on once (using really really secure password combinations) to a global site and then authenticate subsequent sign ons from there. I’ve written about it before in relation to internet banking, but the same applies for all other login situations.

Zoli suggests a few possible solutions;

  • Use the same, or very few userid/password combos on all sites, so we can remember them without having to write them down or physically store them in any form. 
  • Use some variation of the basic credentials, simple enough to remember the actual “algorithm”,  i.e. some characters from the site name combined with your own “standard” keywords. 
  • Use different credentials on every site, preferably strong ones. 
  • Use different, strong credentials, and use a “password manager” system. 

Obviously the last two options are best but one requires a great memory (or written reminders) while the other requires some industry cooperation (and what are the chances of that).

In this in-the-clouds world this is an issue of much importance – anyone else have any thoughts on this?

Ben Kepes

Ben Kepes is a technology evangelist, an investor, a commentator and a business adviser. Ben covers the convergence of technology, mobile, ubiquity and agility, all enabled by the Cloud. His areas of interest extend to enterprise software, software integration, financial/accounting software, platforms and infrastructure as well as articulating technology simply for everyday users.

  • 1. All remote connections are insecure. It’s just a matter of how far attackers will go.

    2. Passwords that people can remember are good because people can remember them and typically don’t record them on post-it notes, on the back of business cards in their wallets, etc.

    3. Strong passwords – which are mostly meaningless to users – get recorded in plain form and are a significant security risk.

    Of your suggestions above number one is crazy as passwords are often available to people working for banks, etc.

    Two is a good idea as long as the technique for “encoding” the password isn’t inherently obvious to people at the other end (i.e. 3b4y for your ebay password would suggest 4m4z0n for your amazon password and vice-versa – NB: the risk gets greater the more places you use your “technique”)

    Three is impractical unless one has an extremely good memory.

    Four is IMO the best method. Steel on Mac is excellent. Password safe on PC (see http://www.schneier.com/passsafe.html)

    The National Bank here in NZ has a pathetically-insecure login for internet banking – as I have told them on many occasions: one customer number plus password, which can easily be compromised via a keylogger. Most banks, etc., that are serious about security overseas have moved to safer login processes. Rabobank here aren’t too bad with their 2-factor login.

  • Ben,

    Thanks for quoting me here. Let me be clear though, #1 was not a suggestion, but a re-iteration of the bed, old habit. Robin is right, #1 is crazy, in fact I myself said it was a timebomb waiting to explode. 2-3-4 are real options, IMHO.

    Thanks again:-)

  • Thanks for the correction Zoli – now I must do something about those passwords of mine…..

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.