View Archives
Savy savy.jpg
IFPA award ifpaaward.jpg

Passwords should be a thing of the past

Passwords should be a thing of the past lenovo.jpg
PRIME – July 2014 By Gary M. Kaye Editor, In the Boombox (www.intheboombox.tv) The recently reported huge data breach at eBay may bring the world one step closer to eliminating the ever more vulnerable password system that has been in place since the advent of the Internet. The breach itself was horrendous. It affected 145 million eBay users. The fact that eBay took the better part of a week before posting a notice on its homepage that users should change their passwords was simply shameful. The hackers have made passwords obsolete. And many of the conventional responses for password protection are equally obsolete. Shortly after the eBay breach occurred, the McAfee division of Intel Security put out an advisory that included the following: • Change your password often (at least once every three months). • Do not use the same password for multiple sites. Really? Many of us are developing short-term memory problems as it is. Is it really practical to remember all of our passwords for all of our sites – sometimes dozens of them? If you put it on a piece of paper, will you misplace it, or will that become another vulnerability? Worse, if you've been smart enough to put together an ICE Pack (In Case of Emergency) so your family can take care of your affairs if you can't, are you really going to remember to update your ICE pack every three months? Let's get real. We need a better solution. There are a number of password protection systems on the market. Unfortunately none is perfect. Here are some of the most widely used: • Password vaults; • Fingerprint scanners; • Facial and voice recognition; • Hardware keys; • Two factor authentication. Password vaults – There are dozens of so-called password managers, also known as password vaults, or password keepers. Among the top programs: LastPass, 1Password, and KeePass. They all work in pretty much the same way. You can create very strong and complex passwords for each of the sites you visit or have accounts on. Then you create one password for the vault that's easy for you to remember. The net result is that the passwords for individual sites are very hard to crack. The downside is that if for some reason your computer or mobile device is compromised, you've effectively given up the keys to the kingdom. Fingerprint scanners – For several years now, Lenovo has included built-in fingerprint readers in its premier laptops. The Apple iPhone 5S has a fingerprint sensor. So does the Samsung Galaxy S5 (though we've found it not quite as user friendly as it should be). You can also get reasonably priced add-on fingerprint scanners for your desktop or laptop. These scanners can protect your device, and thus any data that's stored on them. But there are ways to fool them, And sometimes they can be a little frustrating. They don't always get it right on the first swipe, or second, or third. Voice and facial recognition – Most laptops, desktops, and tablet computers and smartphones come equipped with both microphones and webcams. That means you already have the means to do voice and facial recognition with the right program. McAfee, now part of Intel Security, is encouraging its users to move to their new program, LiveSafe, which incorporates both voice and facial recognition. But that system, too, is not without its limitations. While you can add people to your account, they must be able to access the primary machine to get themselves set up. That means if you want your child living hundreds or thousands of miles from home to have access to your protected data, you can't do it (until they come home for the holidays). But there are also other issues, according to a leading industry expert with considerable experience in the field, "It's worth noting that biometrics can be tricky. Noise lowers mic performance. Light or lack of light can make face recognition impossible. And, an expression change is required to not be tricked by a good photo or even a 3D model. More reliable is looking at the veins in you hand. You can read structure and the blood flow." Hardware keys – also known as tokens. These are hardware devices generally used by large companies so their employees can access secure data remotely. But there are less expensive hardware keys that come as USB sticks. In order to access your data, you need to have the device plugged into your computer. Among the makers of consumer-oriented tokens is SweKey. The idea is that you can always keep the token on your key ring. The drawback is that no one else can get to the data. In the event the key is stolen is can be de-activated remotely. Two factor authentication – Also known as Two Step Verification – This is one of the safest and easiest to implement security measures, but it's up to the website to implement, not to the consumer. The chances are you may already be using some sites with this form of security. One means of implementation is with secret questions. So for example, when I log into one of my online financial accounts, after I enter my username and password, the system will ask me to answer one of five secret questions that I pre-selected, such as the name of my first pet, the name of my elementary school, my favorite candy, my first musical instrument, etc. In this case the system only asks me for the secret question if 'm logging in from a new computer, or if I haven't used the site in several days. A second form of two-factor verification is more active. For example, on some sites, when I log in, the site will send a text to my mobile phone with a code that I then have to enter to gain access. This is a fairly effective system, though it doesn't prevent someone from stealing my smartphone and accessing my data. You should also take the advice of experts who say to regularly monitor your credit reports and your transaction histories for any unauthorized or unusual activity. But even once you spot them, getting those spurious transactions reversed can itself be a painful process. And one last thing: McAfee Security expert Stanley Holditch points out that so called phishing attacks aren't only through your computer. Be cautious about either phone or mail solicitations that start off with a piece of your personal information and then ask for even more. The bottom line is that the Internet is still very much like the Wild West. And there is no sheriff, so you're pretty much on your own. You can follow any of the methods I've outlined, but there's still no guaranty of total protection. Gary Kaye is the creator of In The Boombox (www.intheboombox.tv), the first website to cover technology from the Baby Boomer perspective. Kaye has been covering high tech for more than 30 years with outlets including NBC, ABC, CNN and Fox Business. He is a regular contributor to AARP and other websites on issues regarding the nexus of technology, seniors and baby boomers. Bookmark and Share