Insecurity, Part Two
Last weeks post (“Insecurity, Part One”) was getting a little long, so I left a few things out. One was very simple: keep your security information on paper, or hard copy as we used to say.
Or you could use a flash drive or any other medium not ordinarily connected to your computer, and therefore portable. If it’s not connected, it can’t be hacked. If it’s paper, hide it well.
The other point I omitted was Two-Factor Authentication (or 2FA). This was recommended by all the experts interviewed in those news stories last week. Unfortunately, it confused the reporters.
It’s supposed to work like this. You sign on to the site and then the site takes a second step (like sending a code back to you). This is meant to ensure it’s actually you and not some computer.
But no one agrees on just how to do this. For example, Google wants to send it to your phone, regardless of what device you used to sign on. In effect, they want two-device authentication.
It makes sense for the site you just accessed to authenticate by sending you a query to the device you just used. This will work even if you sign on from someone else’s computer. Just carry your security information with you (flash drive, hard copy).
If 2FA is a good idea, why not always use it? Well, for one thing they have to offer it. Currently, I use over twenty sites requiring secure access, but only one offers 2FA. Hasn’t really caught on.
So far, these things I’ve discussed are more work for you and me. The bigger question, which no one—not even the experts on TV—ever mention, is, Why don’t these sites do more to help us?
First, and most obviously, is their lack of imagination in providing Security Questions. Most of them seem only to copy from each other. Very few are unique to a single site. Laziness?
As for passwords, why can’t these sites make sure we don’t use any real words? Why can’t they come up with a way to measure the randomness of passwords, to help us make better ones?
Not only that, why can’t they suggest changing our passwords when they’ve been in use too long? Same goes for Security Questions. They could do all these things, but then they’d have to write some code. Guess our security isn’t worth their time.
Next week, the really big questions. Why are we under attack? Who will protect us? Is there no hope for privacy?