Comments on: Password juggling no more?

It's high time for a better way to protect my identity online, CNET News.com's Mike Ricciuti says. I'm sick of yellow stickies.

There must be a better way - yes indeed.

Products that exist today and help in password juggling are: password managers.
Some of them (SignupShield by protecteer.com) are fine tuned to help users fight Phishing. They do so by alerting them in real-time when they are about to be "phished out - allowing them to abort submission of sensitive information"

Password managers do not completely solve the problem but they are a very good interim solution until better infrastructure is inplace.

[wahooyahoo]

Its the Money

Gates and his counterparts talk the talk, but the bottom line is money. We get protection when enough money is involved. Notice microsoft's stock prices lately??

[lauchlinmac]

Alas, Your Savior Hath Arrived

Keepass is a great FREE program to store passwords. Not only that, but it can CREATE passwords using an algorithm involving the movement of your mouse. One password to get into the program and access all of your passwords.

Another great thing if you have a thumb drive, you can store your password on the thumb drive, essentially creating a "key" to start your password database. This is an absolutely awesome program, and will allow you to send those sticky notes to yellow note heaven.

Use "Roboform"

It's a small price to pay (about $20 I think). It keeps all your usernames and passwords in one place, will generate(and then store) random passwords for you.
It has the best form filler I have seen, I don't have to fill out web forms any more when I buy something on line. It can fill in 95% of a form it has never seen before.
All protected by a master password (and I store all the Roboform data on a USB stick on my keyring, so always have it with me).
It's superb!
--
Jules
I have no connection with roboform whatsoever, am just a very happy customer.

There is a better way ...

Here at Sxip we have designed
and built a system available as Open Source that lays the
framework. Ironic that in order to comment on this story, I
needed to create yet-another-account! :)

[mwrisner]

Local Smart Access ... What About Remote?

The push is underway to control local access to workstations. But what about all those 'Net IDs and passwords? I'm not certain I want the information on my smart card explicitly sent over the Internet or WAN, encrypted or otherwise. Smarter people than me need to address this issue better.

[Itsya]

Yahoo security has been breached and they won't fix it.

It has been a while since I worked for Cable and Wireless, and even though I got a Trojan back door worm in 1999 and had to rip up my computer this is the worst disaster I have had. Please help me, my Yahoo (paid) account was hacked and Yahoo has autoresponded, and finally I got one response from a human, they have no phone access
and I am still blocked from using my account because they refuse to recognize my information so I can't change my password--therefore I can't use my account, that has all my information, address book, photos. Please help me try to figure out a way to make Yahoo accountable and get my to my account. Thanks
Isabella Hale
mustomusto@yahoo.com
(emergency back up account)

[broadacres]

Password juggling?

I came up with a simple solution which works for me. I set up an Excel file to store all my passwords and logins. Now I have to remember only the password to this file.

It's who you are, not what you have the is the only answer here

Until interfaces are available that avoid tokens and all other paraphenalia this problem will never be solved.

After all security is about a gate keeper being convinced you are who you say you are. No amount of shared secrets addresses the total weakness of token based systems including RSA's/MSFT's approach.

The only system that comes close to closing this gap is biometrics with a liveness test, ps finger prints etc fail at this. The only system I know of to do this is speech based with a liveness test. For example, say this 'phase choosen from a 10,000 work dictionary' with speaker verification.

Check out www.vocent.com.

Biometrics might be on the right path

There is a flaw though.

People get injured and voices can change and body parts lost, ect. Compare this to the current system and it is far better, but still has the danger of creating some serious problems.

[Itsya]

I suspected that wish I had looked here

That is an interesting comment,, and I have been back here looking at responses about that Hacking which I will not remove from posting ever as long as I have a breath in me,, because Yahoo never did give any reason or satisfaction and I was permanently blocked out of my account that had all kinds of important personal information
anyway I did update my name so everyone wouldn't see it,,I will think about that

You Need USBs - Universal Security Biometrics

The major problem in security is the security measure itself. You're absolutely right about too many passwords - I try to be creative with logins and passwords for each site I register, because I fear one of the sites may get hacked and my identity revealed.

The solution can only come from a universally adopted/accepted/mandated security standard - even passwords have varying degrees of security (e.g. c|net requires only 6 letter/number combinations while others require at least 1 letter and 1 number and a special character as the login and password!!)

Smart cards and biometric devices (retina scan/thumbprint ID systems) are great, but every machine that accesses the Internet or computer network needs to have the interface. Can you imagine having a retina scanner for your Web-enabled wireless phone? Actually that might not be too farfetched.

But that too opens the can of worms screaming "RIGHT TO PRIVACY!" ... "RIGHT TO PRIVACY!" The more secure you want to be, the more you have to reveal about yourself. A Catch 22 of sorts.

Well I've rambled long enough. Thanks for reading.

true

What happens if a person digital pattern of their retina gets stolen? Anything hardware can do, software can emulate. That is a possibility and really makes biometrics a small increase in security over standard passwords.

[Itsya]

I hope that happens one day

In a utopian society,, I don't think it ever will, because those security measures using biometrics are still not secure, as seen on Sci Fi, but unfortunately those scary stories about retinas and thumbs, being stolen to hack into accounts could happen one day. And I am now asking a hypothetical question? Suppose you were in charge of say, Fort Knox gold bullion,,assuming there is still gold in Ft Knox :) and you were the person with the biometric key code, and I am not specifying, what that key code is, on your body somewhere and some friends inadvertantly blabbed, on the internet or bragged about "knowing the guy/gal who has the key to all the gold in Ft Knox" ,, then a bad guy,, and obviously this is in the not too distant future found out about this, via googling, or Zabba search or background check, or zoomed in on your house using Zillow, etc,,and since this is a computer audience, you know how easy that is to do, and he comes over and extracts the biometric code from you,,arrggh
The question is would you allow yourself to accept a biometric code of that magnitude?
I know I wouldn't, now go back and substitute,
Local bank Atm, vault, safe deposit box, Jaguar car, access to your companies computers in the 'chilled vaults', etc.. any of those scenarios for Ft Knox.
I know I wouldn't so I am not sure biometrics would work, and now that threw that out there,, since I am just an ordinary person,,non geek for a living,, I don't have an answer.. I hope someone does. Thanks for reading as well, have a good one, IH

phones perhaps?

I am not a very smart person but instead of making users carry
something additional, like a biometric device or random number
generating device- wouldn't it be easier to just use something
most of us already have? like a phone perhaps. Here's a link if
this interests you http://www.sftnj.com

Federated v. Centralized Systems

What's needed is a federated identity management system, not a centralized SSO. The untold story of Passport v. Liberty Alliance is the struggle between between centralized and federated systems.
See also this piece on federated identity management:
http://news.zdnet.com/2100-1009_22-5535345.html

The way starts with a digital identity

The better way starts with a permanent digital identity for individuals. This identity isn't just for managing passwords.

It includes your email address, web presence as well as digital passport and extends to your social networking personas.

Start with a permanent email and web presence. Stop using Yahoo, AOL or Hotmail. Use a self-branding identity like that offered by PW Registry (www.pwregistry.pw) which offers 100% of the world's surnames, ethnic groups and random strings. This will provide you with an ISP independent spam-free email address and personal website.

Then layer on a digital passport from identity Commons called i-names. This will handle your single sign-on and social networking activity.

You can start using these now and never have to change your address again.

Tom

[Itsya]

Federated doh, what?

Man that sounds too complicated and confusing and I hate the word "Federated" associated with anything as personal as a password or even biometric access.. sounds scary and intrusive, but what do I know I am a mere user.. ih