A treatise on passwords in today’s New York Times.
Author Randall Stross says “Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.
The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
In short, we need a log-on system that relies on cryptography, not mnemonics.”
Librarian’s Password
Here is a password: PS3515E288
If I forgot what it is I look it up in our library catalog. The password is the Library of Congress call number for “Stranger in a Strange Land”.
Select a book that you can easily remember and use the call number as your password. Then if you ever forget your password you have a way to look it up without writing it on a sticky that goes on your computer monitor.
Password 2.0
I have some accounts where I input my password then the website gives me back some information to authenticate, I guess to let me know that the site I’m using is real: after I enter my password, the site shows me a picture of a zebra standing in a canoe, or something, and if I confirm that the zebra in the canoe is my counter-sign, then I log in.
I don’t know if I want to give a computer all of the power over protecting my identity; so far, I trust the zebra, but I don’t know if I’m smart enough to handle any level past that.
Per usual, there is a
Per usual, there is a glaring disconnect with this idea: What about the millions of users out in the world who do not own or have sole access to a single machine? Or, at the other end of the spectrum, those of us who access sites from multiple machines? When your only computer access is through the multiple public terminals with varying IP addresses at your local library, machine-based encryption becomes worse than useless. Ditto for folks who switch from a laptop to a desk machine to a mobile device with any regularity. I wonder if the proposals for cryptographic log-ons take either of these conditions into account?
Perhaps when “One Laptop Per Child” becomes “One Device Per Person,” machine-based access encryption will make sense.