Passwords and Human Nature
Trying to enforce a behaviour (different passwords for every site) on everyone is doomed to fail.
We need a better system, and it's not clear that biometrics are ultimately more secure.
Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web. The compromised data was likely obtained by using usernames and passwords stolen from gaming website XSplit three years ago in order to log onto O2 accounts. When the login details matched, the hackers could access O2 customer …
The problem, for me, with biometrics is that when (not if) data gets compromised, there isnothing I can do to change my credentials. If a password or PIN gets compromised, I can change that...if somebody gets hold of a scan of my eye, then having an eye transplant so that I can restore a level of secrecy is too big an ask.
" A password should always be something as undeniably private and secure as "What is the street you grew up on?" or "What is your pet's name?"
Nothing inherently wrong with those questions, apart from the subtle prompting to give an honest answer.
"Commiefascisttonyhangthebastard"* for example, would do quite well as an answer to both questions.
* Any possible connections to any persons or animals real or fictitious, living, dead or yet to be born are purely coincidental.
" ... it's not clear that biometrics are ultimately more secure."
It's pretty clear that biometrics are not "more secure". At least until you master the trick of growing back a finger or an eyeball, and with different unique characteristics as well. Because the database that holds your biometric information will be hacked at some point.
From the original BBC News article this morning which broke the story (http://www.bbc.co.uk/news/technology-36764548):
"The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as "credential stuffing"."
From Mr Leyden's carefully crafted piece which doesn't even acknowledge the BBC source:
"The compromised data was likely obtained by using usernames and passwords stolen from gaming website XSplit three years ago in order to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data through a process known as "credential stuffing"."
I've not bothered to compare the rest but this looks like pretty shoddy "journalism".
Another facepalm line from the Beeb report was:
"He said he had used the same email address and password for both these accounts and the one with O2, but has since changed them. Before this happened he had considered himself secure online and internet-savvy."
I wonder what he thinks 'insecure' and 'ignorant' look like? "Oh yah, my usual password is 'password', but for IMPORTANT sites I use 'Password1' "
All too often I'll create an account for something and find that they "need" all sorts of information before the account is valid ... and then if I get bored with the account and stop using it, it lives forever. The chances are that most of the people with accounts on the original site stopped using them after a few months.
FTA: "The incident underlines the dangers of password reuse, particularly among consumers."
It also shows the danger of reusing the same Date of Birth and address between websites too.
Unless a website can completely justify things like DOB (e.g. Online Banking) they have no reason to demand it as it's only going to be used for things like reclaiming your account should you lose access to it. Really it's just a second password so use any suitable date as long as you can remember it.