In 2005, the Federal Financial Institutions Examination Council stated:
“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.â€
Here we are in 2011, six years later, and well over half a billion records have been breached. And while it is true that not all of the compromised records were held by financial institutions, or were accounts considered “high-risk transactions,†many of those breached accounts have resulted in financial fraud or account takeover.
Back in 2005, you might have had two to five accounts that required you to create a username and password in order to log in. Today, you may have 20 to 30. Personally, I have over 700.
The biggest problem today is people most often use the same username and password combination for all 20 to 30 accounts. So if your username is name@emailaddress.com, and your password is abc123 for one website that ends up getting hacked, it will be easy enough for the bad guy to try those login credentials at other popular websites, just to see if the key fits.
The quick and simple solution is to use a different username and password combination for each account. The long-term solution is for website operators to require multifactor identification, which may include an ever-changing password generated by a text message, or a unique biometric identification.
Until that time, the three best tips to create an easy to remember but hard to guess string password are as follows:
Strong passwords are easy to remember but hard to guess. “Iam:)2b29!†consists of ten characters and says, “I am happy to be 29!†(I wish).
Use the keyboard as a palette to create shapes. “%tgbHU8*†forms a V if you look at the placement of the keys on your keyboard. To periodically refresh this password, you can move the V across the keyboard, or try a W if you’re feeling crazy.
Have fun with known short codes or sentences or phrases. “2B-or-Not_2b?†says, “To be or not to be?â€
Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures
1 user commented in " Username and Passwords Are Facilitating Fraud "
Follow-up comment rss or Leave a TrackbackYou are absolutely right that people should create passwords that are strong and secure. And as you mentioned, it is important that people have different passwords and usersnames for different accounts. At Symantec, we think that staying safe online requires vigilance and education on the part of the user, so posts like this are very helpful. While usernames and passwords are the first line of defense while online, we have also been working to make two-factor authentication more effective and easy to use, so users can feel safe interacting online, knowing they are protected by more than just their username and password.
Leave A Reply