The password problem

On October 6, 2013, in Security, by

I was helping someone with signing into their online medical account today.  They couldn’t remember their password and we had to call to get assistance. 

We found ourselves talking to an outsourced help desk.  Because we couldn’t answer the security questions properly (the account was originally set up by her husband who has since passed away), the password will have to be reset via mail. 

The experience showcased to me how passwords are not the greatest authentication process.  Too much personal information can be accessed by a person on the other side of a phone line who is probably not even in this country.

We need better processes and better ways to authenticate.  As we move to more and more online, we’re not solving the password problem.

 

3 Responses to The password problem

  1. Rick says:

    Funny you should mention that:
    https://www.grc.com/sqrl/sqrl.htm

  2. Dana Epp says:

    I agree 100% Susan. But you knew that. 🙂

    Estate planning for your digital demise isn’t always the happiest thing to be thinking of. I wrote about that earlier this year:

    http://blog.scorpionsoft.com/blog/2013/05/estate-planning-for-passwords-in-case-of-your-digital-demise.html

    This is where password management really comes into play. And I am not talking about those personal password managers that your partners, colleagues or loved ones won’t have access to. I wrote about that too:

    http://blog.scorpionsoft.com/blog/2013/09/if-you-got-hit-by-a-bus-tomorrow-who-has-your-passwords.html

    In many systems, especially systems for banking and healthcare, its important to consider other options. Like single sign-on (SSO). Even if the site doesn’t offer enterprise-class SSO with SAML, you still can use systems with web-password assisted SSO. That’s a neat feature in AuthAnvil with the SSO Assistant; it fills in the passwords for you, but stores and secures the password on the server, and not in your browser.

    Just an FYI. You already have access to all this with your license to AuthAnvil. Doesn’t help your friend very much at this point in time… but its something to think about for you in the future.

  3. Joe Raby says:

    SQRL doesn’t fundamentally change anything, and introduces more problems:

    a) You need a smartphone – another piece of hardware.

    b) The smartphone has to be protected. And that means either a password or a PIN. That leads us back to main problem. And if the smartphone is compromised (iOS isn’t looking too good on this front either) then there is no improvement to security whatsoever.

    The problem with passwords is the human equation: people don’t remember them. Technology isn’t a solution to that, because the safest place a password can be stored is in your head. What you think of as biometrics is a misnomer because using a password is the biometric measurement of your memory. Conventional biometrics have their own problems though: they require additional hardware sensors, are computationally expensive, and are prone to misidentification.

    The argument about personal information is definitely something you have to take into account with biometrics though. Do you trust a company with your physical details? What happens when an advertiser, or worse, an insurance company, gets ahold of your physical traits?