What do you think of this idea-- two passwords. Already having an extra password could affect the security of your account but keep listening. One password would be fancy and stuff that you wouldn't use anywhere but in your own privacy and you wouldn't have to change it very often. The second password would be shorter, simpler, and you would change it all the time (or whenever the system told you to) and you would use it in public places and anywhere where it could easily be found. Of course, this second password would be optional. Feedback? |
Kinda like a security question Danny? (Just in a password format?) |
More useful would be a one-time password that you can set up in advance from your private computer.
Then, you can use a public computer to log in to PayPal and if there's a keystroke logger attached to that computer you won't have your account siphoned. |
Not having to enter any password would be the ultimate usability. Is this feasible for websites, with some additional hardware? Maybe some retina-checking camera connected to some neutral server which hands out tokens to other websites? :) |
All possible with OpenID
http://openid.net/ |
I like Roger's idea. Banks can do this with Credit Card numbers right now. If you make a purchase with the Virtual Credit Card number, if that number got out, it wouldn't affect you because it was a one time use only credit card number. |
Actually, even better would be to be able to use one of the RSA keychains to get part of your new password each time you log in. Part of the password changes each minute so if someone did grab your password, it would be useless the next minute.
http://farm2.static.flickr.com/1095/1107234113_690170a658_o.gif |
:) I just bought a DS with a 3v voucher. A virtual credit card. Maybe joe could give me his number sometime for animal crossing? |
> Not having to enter any password would be the ultimate usability.
Now that's a great example of lateral thinking, and in principle there are several ways in which it might be done. I don't think the retinal scanner will work though, because it's prone to a "man-in-the-middle" attack where the retinal image is captured and replayed later.
To overcome this, the website would need to give you a unique instruction each time, such as "blink twice, then look to the left". But that's almost as much hassle as a password. |
> I don't think the retinal scanner will work though, because > it's prone to a "man-in-the-middle" attack where the retinal > image is captured and replayed later.
I think the real question is not is it safe, but is it safe enough. Someone who watches over your should in an internet cafe (or who installed a cam anywhere on the ceiling) will be able to capture your Google Account password. Is getting a hi-res retina pic of you really easier?
But the retina is just an example. A webcam authenticating a "3D picture in front of the webcam that moves, and looks like you" might also be feasible. I've seen this with BananaScreen screen locking... http://www.bananasecurity.com/ |
biometrics are always the best solution, but it's hard to implement... Just avoid checking your mail everywhere if you don't really need to. A good solution would be ... err... Just kill everybody near those public computers, shoot the cameras, blind the windows and lock the door. Connect directly to the router, disconnect any other computer before connecting yours. Use a live-cd. Reset your connection to get a fresh and new IP. Use firefox. Connect using secure HTTP. Run in circles. Use a very long password (more than 40 characters). Or just take some risks :) |