BANK A.T.M.’s embody decades-old technology. A four-digit PIN? What a seemingly crude security system. Where are the uppercase and lowercase letters and the random punctuation that we are continually told are crucial to hacker-resistant passwords?
In fact, though, the four-digit numbers required to use cash machines are one element of an extremely strong security model that most of today’s Web sites fall well short of matching.
Think about it: An A.T.M. requires the presentation of both a physical card and a correct PIN. Web sites can and should follow this general principle of requiring two dissimilar things before access is granted.
After supplying the password, that second thing could be a code that arrives as a text message on one’s phone. A thief would find that stealing your password for a Web site was useless without also having your phone in hand.
The technical term for requiring something you know and something you have when trying to log into an online account is “two-factor authentication.” It’s also known as two-step verification.
If this system, using passwords and smartphones, were used on all limited-access Web sites, the passwords wouldn’t have to be long and complex. But many Web users have easy-to-guess passwords in just one-step verification, which is highly imprudent.
Nick Berry, president of DataGenetics, a consulting firm in Seattle, has analyzed the large password databases that hackers who have broken into various Web sites have publicly released. Among 30.3 million passwords he has found 3.4 million consisting of nothing but four digits. (It’s astounding that there are still Web sites that permit these. I always encounter password requirements that force me to choose ever longer, more complex strings of characters, numbers and punctuation marks.)
Some four-digit passwords are far more popular than others: “1234” alone accounts for almost 11 percent of these passwords; “1111,” an additional 6 percent. Repetitive patterns occupy many of the other spots among the 20 most frequent numbers. Lower on the list are numbers that are likely to be a year of birth or the four-digit rendering of the month and day of a birthday..
Source : NY Times
No comments:
Post a Comment