Using passwords can lead to a cascading failure where one leads to others. However, there is nothing wrong with using passwords. Social engineering is the real problem that people need to be wary of.
I keep my important accounts isolated so one does not lead to another. I do not use my bank income account for spending for example. I take money from that and deposit it into a totally separate, unrelated account for spending.
I’m all in favor of two-factor auth; however, the way that Gmail implements it – the second factor is “send a text message to your phone” – doesn’t work if you don’t have cell reception (my main work location is in a notorious cell phone hole), are in a location where you can’t have your cell phone (a SCIF or equivalent – think Apple’s secret research labs for a non-DoD example), etc. RSA’s SecureID key fobs, where you needed the pseudo-random number from the key fob PLUS a 6-digit memorized PIN at least had the advantage that you could take it anywhere; I haven’t heard what the status of SecureID is since RSA got hacked last year, though (I gave up my key fob several years ago – no more work at home!).
Really like the article’s takedown of biometrics, though.
There was something about an RSA token exploit earlier this year, I don’t remember the details.
I wouldn’t mind having something downloaded onto my laptop that would identify it to the banks–that’s a problem if my laptop is stolen and an inconvenience if I want to bank from some other location but it might help matters a bit. Smart phones are certainly smart enough to have some sort of validator built in, but smart phones are even easier to lose.
In (South) Korea, only old people use passwords . . .
Using passwords can lead to a cascading failure where one leads to others. However, there is nothing wrong with using passwords. Social engineering is the real problem that people need to be wary of.
I keep my important accounts isolated so one does not lead to another. I do not use my bank income account for spending for example. I take money from that and deposit it into a totally separate, unrelated account for spending.
I’m all in favor of two-factor auth; however, the way that Gmail implements it – the second factor is “send a text message to your phone” – doesn’t work if you don’t have cell reception (my main work location is in a notorious cell phone hole), are in a location where you can’t have your cell phone (a SCIF or equivalent – think Apple’s secret research labs for a non-DoD example), etc. RSA’s SecureID key fobs, where you needed the pseudo-random number from the key fob PLUS a 6-digit memorized PIN at least had the advantage that you could take it anywhere; I haven’t heard what the status of SecureID is since RSA got hacked last year, though (I gave up my key fob several years ago – no more work at home!).
Really like the article’s takedown of biometrics, though.
RSA tokens are still in use. I work for the Federal government, and that’s what we use. I think they have effectively tightened it up.
There was something about an RSA token exploit earlier this year, I don’t remember the details.
I wouldn’t mind having something downloaded onto my laptop that would identify it to the banks–that’s a problem if my laptop is stolen and an inconvenience if I want to bank from some other location but it might help matters a bit. Smart phones are certainly smart enough to have some sort of validator built in, but smart phones are even easier to lose.