My project for 2020 is to create a password-free login that removes all the hard work of creating a secure password from the user.
Episode #10-21 released on January 5, 2020
HackRead put an article out just before Christmas listing the top 25 most common passwords used by people which were made available through password dumps of compromised websites. Of the first 5 most common passwords, the first, second and fifth position are a variations of counting up to 9 from 1. This does mean a few things are still going on to this day.
The first issue is that people are still not taking password security seriously and are more and more likely to get hacked because of that dangerous attitude.
The second issue is that the websites that have been compromised had yet to enforce password rules that would prevent these dangerous attitudes from being an issue, had refrained from using secure password and data security practices and had placed users at further risk on other websites.
The one neat thing we have seen this year, the most popular password, is not password anymore. It has fallen to fourth place. However, 123456 is the most popular password which is troubling. It isn't just an issue with ignorance, but laziness, too.
There are some new ideas coming around that would make passwords, at least the traditional password, a thing of the past. One example, single use passwords sent via email or text message could replace the user specified password. That would make hacking the account much harder for most illicit hackers, because the password wouldn't be stored nor created at the time of the breach.
Now, how could we make logging into a website safer?
Before I get into one possible safer alternative, I want to emphasize that nothing is going to be one hundred percent safe. We can only strive for the safest alternative.
First, every user does need some way of identifying their account. An email address is a nice idea, but usernames do make the process safer as they can be different from site to site making it harder for anyone to overtake a web-site.
The second step send a one-time password via email or text that allows them to confirm they are the correct user from the login process.
The final step, two-factor authentication should always be present, making it a requirement makes life safer. The safest method is by using an application with math, but any two-factor method is better than none. The user in the final step would provide the single use token to confirm that they are the correct user, and this safeguards the web-site from unauthorized entry.
Now, we cannot fix the text to cellphone security issue caused by the SS7, however, if we provide tokens by email and provide option for OPENPGP option for all users, then we can protect the email from man in the middle security issues. This means, the entire loop, when combined with a math-based authenticator can be rendered safer in that configuration.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net