We all know that good passwords are essential for many services, and we've all got our own ways of creating, and managing passwords. Of course, there are plans to do away with passwords using biometric scanners, or face recognition, etc., but we're a long way away from that for all the different services we use. Just about every service requires a password these days, and managing passwords has been a pain for a long time, even if you use a password database tool: You have to make sure you have your database with you at all times, and, of course, as I discovered, the usb memory stick has to be resilient. Of course, I have a backup of the data, but, I only had one copy with me, and somehow, the memory on the USB stick became corrupted.
What about webmasters and system managers that are managing users' accounts? There have been many high profile examples of systems that have been compromised, in some shape or form, and those user details leaked, resulting in even more user grief. Whether those sites and services put real effort into protecting accounts is up for debate, but it's clear that many systems need hardening to help block access to the data in the first place, and then, if there is a break in, how well-protected (encrypted) is the data? Here's some recently published information from the UK government on password guidance.
Another aspect in designing an effective system is how easy or difficult it is for users to get password reminders or resets. Some services i've used seems to take an age to re-send a new password to re-set the account, and others are pretty much instant. People shouldn't be waiting for their password reminders and resets. To get over e-mail sniffing, some services use a text message on your phone to confirm authorisation. This double authentication is going to help under certain circumstances, but it does rely on the mobile phone signal, and the speed of the text receipt. People don't like waiting.
I read today that users still continue to make use of weak and obvious passwords. For example, the partner cheating site
[webmasterworld.com] that was hacked had over 120,000 users with the password "123456", and 48,000 with "12345", and in third place, 39,000 with "password" as their password. lol Additionally, almost 5-million users only used lower case passwords.
Recently, I was watching a presentation where password hardness testing was being undertaken and it showed that good passwords can take many millions of years to crack, but the downside to users is they are totally unmemorable, and it also showed that many systems can't actually cope with some of the more sophisticated characters in passwords.
Can users be trusted with the choice of their own passwords? Are systems built to help users choose and use effective passwords that are more difficult to crack? Are webmasters and systems developers failing to provide users with adequate learning and advice on user passwords, and relying on users to protect their own accounts?
Where does the buck stop when there's a hack?
When was the last time you reviewed your system security, and what tips do you have to help protect systems?