Tuesday, January 28, 2014 - Almanac Vol. 60, No. 20
The Password is Dead, Long Live the Password!
Ten years ago Bill Gates, the chairman and founder of Microsoft, made a bold prediction: "the password is dead." He was referring to the limitations of using a single, reusable string of characters to protect our most sensitive digital assets.
And Gates was right. Chances are good that you (or someone you know) have been the victim or target of password theft. Compromised email accounts are used to send spam to everyone in your address book. Hacked financial accounts are used to transfer money and redirect deposits. Exposed computer accounts can be used to steal data and commit identity theft.
Because of these motives, attackers have devised a number of ways to get passwords, including:
- Phishing, where they pose as a person or service (e.g., your IT support person or your bank) and they ask you to email or enter your information in what looks like a legitimate communication.
- Malware that can log your keystrokes and send your passwords and account data over the network.
- Brute force, where they guess weak passwords one character at a time.
So what can we do? Bill Gates' admonition aside, it has been nearly impossible in the intervening decade to find a practical replacement to the password.
Fortunately, that has changed with the proliferation of smart phones. ISC is currently piloting Two Step Verification (two-factor) for PennKey. This service protects your PennKey by requiring both a password and a code generated on your phone: www.upenn.edu/computing/weblogin/two-step/ It is easy to set up, has little impact on your day-to-day experience, is a powerful antidote to stolen passwords and is available now to anyone with a PennKey. Multi-factor authentication is also available on many popular commercial services (such as Facebook, Google, Twitter, etc.)
For more information about Penn's Two Step Verification pilot, contact your Local Support Provider or email@example.com