Reply to post: 2FA- solving the wrong problem

Got your NUDE SELFIES in the cloud? Two-factor auth's your best bet for securing them

Peter Fairbrother 1

2FA- solving the wrong problem

AFAICT, the recent Apple cloud leaks were caused by a password-guessing attack. In order to guess a password, the script tried 500 or so passwords for each username.

Now if Apple had been monitoring failed password attempts, and stopped repeated failed attempts, especialy when a whole bunch of them for different usernames came from one IP location, this would not have worked. Apple were not using passwords in the right way.

AFAICS, Apple have now started to do this, which is why and how the attack has stopped.

Another method to defeat such attacks might be for the login username to be different from the public username, making it hard for an attacker to guess a login username.

More, if Apple had emailed the celebs saying that there had been several failed password login attempts, especially those from unusual IP addresses, and the celebs had said "I didn't do that" then Apple could have been on an especial watch (and could probably have caught the attackers).

Don't get me wrong, password are a totally shit method of identification, and a really bad method of authentication. But my banks use them online, along with other methods: one (Lloyds) sensibly, one (Tesco) in an overly paranoid manner which actually detracts from security.

And like PIN passwords for debit and credit cards, if used correctly online passwords seem to work well enough for money.

If I make repeated failed password login attempts to my banks they lock me out, and want me to contact them. Very sensible, if annoying. However yesterday I forgot my itv player password, and made several wrong attampts to log in - and got shut out for 30 minutes. I mean, WTF?

Passwords are useful in their place, sometimes with added password-type or other security when needed, sometimes not, Sometimes they are used in stupid ways - why does ITV Player need me to login with a password anyway?

Passwords cannot usually protect against coercive attacks, but for everyday use where they are used appropriately and monitored suitably, they are still the worst - apart from everything else.

The real problem is that people do not use them appropriately.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019