Are passwords our best security option?

Last week, Steve Bass described in his TechBite newsletter how someone cracked into his PayPal account, hitting him up for $400. Fortunately, Steve caught the theft in time to have the bogus charge reversed, but reading about Steve's experience made my blood turn cold.

The fact is, people get their online accounts pilfered every day. But this is Steve Bass we're talking about. I learned more about PC security from Steve while we worked together at PC World than I have picked up from any other 10 so-called experts. I know how careful he is when making purchases at the corner grocery store, let alone on Web sites.

If Steve Bass can have his virtual pocket picked, it can happen to anyone--and I mean anyone. When I finished reading Steve's tale of woe, I was left thinking, "There's gotta be a better way."

Well, for right now, maybe there isn't a better way to protect ourselves online than using strong passwords that we change regularly. About a year ago, I presented several tips on using passwords. Steve's article goes that blog post one better by including links to Microsoft's password checker and instructions from the company on how to craft strong passwords.

I'm willing to accept the fact that passwords are the best data-security option today, but they're far from perfect, primarily because of the human factor. Either our passwords are too easy to guess or we're too willing to share them, whether inadvertently (by writing them down where others can find them) or on purpose.

My notebook computer (which is currently in the shop; more on that later this week) has a fingerprint scanner embedded in the case. I used this scanner to log into my Windows account for many months, but then the reader started to flake off, refusing to accept my finger swipes and requiring that I type in my password anyway.

It didn't take long for me to abandon the fingerprint reader entirely. I have a feeling that other password alternatives--biometric or otherwise--have similar shortcomings. It might be possible to make one of these access-control technologies more reliable, but doing so could make the cost prohibitive for PC vendors.

Since we'll likely be relying on passwords to secure our systems and data for some time to come, we need to keep in mind that cyberthieves are getting trickier and trickier in the techniques they devise to coax our passwords out of us. Even as we become more mindful of the attempts to steal our passwords, we have to prepare for the day when ours will fall into the wrong hands.

Keep a close eye on those credit-card statements and charges to online accounts. Don't hesitate to contact the financial institution involved if you suspect you've been victimized. Don't think that a strong password--or even a world-class password-management utility such as RoboForm--is all the protection you need on the Web. (You can read more about RoboForm and Siber Systems' other password-management products in Steve's newsletter.)

[stephaniedaugherty]

While I agree that passwords are often the best option, there are probably better solutions for high-risk accounts. Hardware tokens, such as offered by RSA, Verisign, and Entrust, are much harder to compromise through phishing and keylogging.

Paypal offers a hardware token solution to it's members for a small fee, as do some other sites.

Not only that, but there are various personal devices such as phones and PDAs that we all carry around 24/7 these days - those would all be viable as an additional authentication factor.

Finally, it's not just the security of passwords, but the information we provide in order to be able to RESET passwords - several months back there was an article on this: http://www.itworld.com/tech-society/54193/beware-meta-password-reuse

[mselbie]

Nice post that highlights the growing need for usable products on the internet including password managers. Longer password strings are not the solution and don?t seem to have evolved at the same rate other technologies have. User managed passwords are easily guessed, shared, stored, stolen, or hacked, which leads to increasingly critical information system breaches and associated economic losses. Perceived security concerns are impacting behavior. We know from our own research that over a third of online adults have stopped entering a web site for fear of their IDs and passwords being compromised.

It is therefore a BIG problem (defined by size of population it affects + change in behavior it causes + commercial impact it has)and one we KNOW is not going to be fixed by password length, complexity or challenge questions.

So we developed a visual login that eliminates passwords and yet is effective against the prevalent forms of hacking. Unlike other products that charge, its free, usable, secure and works on multiple computers. It remembers the passwords that the average user can?t, and fills in your forms so you dont have to.
Check out the frisbee catching tortoise video at www.vidoop.com

[Maarek Stele]

Banks use image recognition to prevent phishing sites from stealing your login. The idea is simple, you have a pic display after the first login and questions. If it's different than what you use, than leave and submit the site as a phishing site.

Passwords are still the best way because you can add numbers, and now symbols to them. After than you can add AES encryption to the password taking a hacker years to decipher the password.

Ontop of that, you only need 1 password and keep the rest in an AES encrypted software package. to remember them. A password should follow a tune or a pattern that you will always remember rather than having to write it down. Also, it should be commenly used for the same reason.

[c|net Reader]

I wonder about the efficacy of tools like http://supergenpass.com/.

[Jill98j]

Plus, you have to be much more vigilant if you access your PC remotely via Internet. There`s a good article about it at http://remote-access-software.net/.

[macejv]

From my point of view , the best safety and security option must come from our actually computers. We need to have on our computers powerful antiviruses, antispyware and Windows registry cleaners and optimizers (like jv16 PowerTools 2009). It is most important to start from our own apparatuses, not from any other thing (passwords are also important, but not so important as presented in the blog post).