“Internet security is broken, and we need to roll up our cyber-sleeves and fix it.” — Becky Ferreira, in her recent Popular Science article exploring the problem with online identification today.
Last week, we discussed the growing problem of single password authentication and how passwords lack adequate protection for our online accounts. In an ideal world, we all would have a strong, unique password for each of our online accounts. However, the reality is that many of us keep the same, easy to remember password across multiple platforms. This leaves our personal information at risk for security breaches, identity theft, and other crimes.
As we highlighted in Part 1 of this post, groups such as Anonymous and LulzSec have recently hacked into organizations like Sony and even the U.S. government and released sensitive data to the public. Security breaches like these put a glaring spotlight on the problem we all have with keeping our web activities private and secure.
High profile incidents such as these are just pieces in the web of cyber-crime that plagues the lives of U.S. citizens. According to the U.S. Department of Justice, an estimated 11.7 million Americans were victims of identity theft of some kind including online identity theft over a recent two-year period.
The government has taken notice of the problem. On April 15, the U.S. Chamber of Commerce hosted the launch of a Whitehouse initiative entitled National Strategy for Trusted Identities in Cyberspace (NSTIC).The goal of the initiative is to create a joint public and private effort toward finding effective solutions to problems plaguing the online authentication process. NSTIC is designed to enable the development of “trusted credentials,” a term which refers to any method considered to be more secure than a single password.
The proposal comes soon after nominal efforts in the private sector to solve the problem. Google led the way in February by introducing their optional two-step authentication process for Google accounts. A two-step process combines two things in online authentication: something you should know (password) and something you should have (a device).
Once a user opts into this Google service, the password is only the first step. Users then also have to enter a verification code that is sent via phone, text message, or mobile application. A potential hacker would not only need to know your password but would also have to have access to your device that receives the verification code.
Google’s solution is a step in the right direction, but it is also somewhat cumbersome. In reality, most users won’t adopt a new process unless they are forced to.
But what are other private companies doing? Unfortunately, not much. Last week the tech blog Gizmodo requested that “Facebook and Microsoft and Apple start taking on this challenge in earnest.” Sites with tens of millions of users have a responsibility to their members to protect them.
For users who want to take their security into their own hands, security tokens are a noteworthy example of a “trusted credential.” A security tokens is a device that displays a unique passcode that changes about once per minute. In order to gain access to their accounts, users need to enter their traditional password and also the passcode displayed on the device in real time.
Unfortunately, even security token providers can be hacked. EMC, the makers of the security token SecurID, admitted in an open letter to customers this past March that they were victim to “an extremely sophisticated cyber-attack.”
Yet another solution that attempts to make our passwords more secure is the advent of applications like 1Password. This program not only creates strong and unique passwords for your myriad of accounts, but it also stores them for you, requiring you to remember just one. Every time you need to access an account, 1Password automatically enters an encrypted password directly into your web browser.
While we wait for emerging innovations to solve the growing problem of online authentication, let us ensure that your current passwords are strong and well-protected from criminals. Here are a few tips that should help:
- Use numbers, upper and lower case letters, punctuation marks, and symbols.
- Change your password frequently. Experts recommend doing so every 3 months.
- Avoid writing passwords down. Whether at home or in the office, having written passwords offers them to an unauthorized person on a silver platter.
- Use a unique set of letters – nothing personal like your name, pet, date of birth, or the city where you live.
- Do not use the same password for any of your highly sensitive accounts – including email, banking, finance, etc.
We will keep you up to speed with the newest technologies that may help protect your online accounts from unauthorized access.
But we also want to hear from you.
Please share your comments and suggestions so that we may, with your help, build a safer online community for everyone.
Comments: