SiS Logo

My Digital Identity

Sharp Perspectives on Identity, Security, and Privacy

Passwords are a Failure

March 2005
The Password Is Fayleyure
Today’s password schemes are unworkable and offer little security for users.
By Michael Schrage

Under Review: Password selection for Yahoo! Mail etc.

PokeKey1…ou812$…twasbri11ig!. All were favorite passwords of mine long ago. The first is the name of the puppy I briefly had as a child. The second was shamelessly lifted from a Van Halen album cover. The third, you’ll recall, opens Jabberwocky. I must have typed each one hundreds of times.

Looking back, I feel like an idiot for believing my wittily “unguessable” passwords enhanced my security in any meaningful way. Password protection is pervasive, annoying, inconvenient, and does little to deter anyone intent on doing harm. But you can’t gain legitimate access to many services without it.

There is growing consensus that strong authentication is needed since relying just on passwords isn’t meeting requirements.

The Mindful Blogger

Useful summary of things that need to be considered as a blogger about going on the record.

Reputation is being built or not by Internet publishing and there is no eraser.

BusinessWeek Online
You Are What You Post
Friday March 17, 4:23 pm ET
By Michelle Conlin

One drizzly night in Seattle in 2001, Josh Santangelo was hanging out on his computer, clicking through an obscure Web site called Fray. After reading a post that asked if anyone had ever had a bad drug trip, the 22-year-old straightened up and began banging away. “Actually yes, about 36 hours ago…” he wrote. “Two Rolls Royces and four hits of liquid later, I was at a Playboy-themed birthday party with a head as dense as a brick…. It’s hard to say no,” he explained, “when a pretty girl is popping things into your mouth.”

Missing Children DNA samples

On TV yesterday there was a story about missing children quoting figures of 40,000 per year as runaways and 17,000 being abducted or missing for some other reason. The missing children organization that was being interviewed advocated a child identity kit that included identity information to be kept up to date and included a DNA sample collected from the child. The kit was to be provided to authorities if a child went missing.

Here are some other examples of this trend:
http://www.sfuo.org/uin.html
http://www.fingerprintamerica.com/c_genetikid.asp

Digital Signatures

Some background information on digital signatures from Entrust

Entrust Resources
Digital Signatures

Digital Signatures are Best Practice for Electronic Communications and Transactions
Digital signatures powered by public-key infrastructure (PKI) technology, are widely recognized as best practice for ensuring digital verification for electronic transactions. Digital signatures are the most effective, secure, and easy-to-implement method of providing verification while enabling electronic transactions. The benefits of PKI-powered digital signatures include knowing:

whom you are dealing with (identification)
who is authorized to access what information (entitlements)
you have a verifiable record of transaction (verification)
Recognized in legislation around the world
Increased awareness of security and privacy issues is resulting in national and international legislation on privacy and digital signatures, as well as industry-specific regulations for selected broad verticals. Examples of such legislation in the United States alone include the Electronic Signatures in Global and National Commerce Act (E-Sign), the Uniform Electronic Transactions Act (UETA), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB) Financial Services Act, and the Government Paperwork Elimination Act (GPEA).

The broad adoption of digital signatures built on Internet security foundations is now generally acknowledged. The infrastructure build-out is currently underway, and the scale is enormous — for example, the U.S. Department of Defense has requested $700 million in funding from fiscal year 2000 through 2005 solely for Internet security development (Information Security-Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO, February 2001].Entrust Resources: Digital Signatures:

Entrust Resources
Digital Signatures

Digital Signatures are Best Practice for Electronic Communications and Transactions
Digital signatures powered by public-key infrastructure (PKI) technology, are widely recognized as best practice for ensuring digital verification for electronic transactions. Digital signatures are the most effective, secure, and easy-to-implement method of providing verification while enabling electronic transactions. The benefits of PKI-powered digital signatures include knowing:

whom you are dealing with (identification)
who is authorized to access what information (entitlements)
you have a verifiable record of transaction (verification)
Recognized in legislation around the world
Increased awareness of security and privacy issues is resulting in national and international legislation on privacy and digital signatures, as well as industry-specific regulations for selected broad verticals. Examples of such legislation in the United States alone include the Electronic Signatures in Global and National Commerce Act (E-Sign), the Uniform Electronic Transactions Act (UETA), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB) Financial Services Act, and the Government Paperwork Elimination Act (GPEA).

The broad adoption of digital signatures built on Internet security foundations is now generally acknowledged. The infrastructure build-out is currently underway, and the scale is enormous — for example, the U.S. Department of Defense has requested $700 million in funding from fiscal year 2000 through 2005 solely for Internet security development (Information Security-Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO, February 2001].

Cards, Agents or Avatars

Infocards is a much needed development for simplifying and unifying the security and privacy interactions that people are starting to have online.

Although this is a much needed step and a challenge enough in itself to propagate and refine I can’t help but think that what is ultimately needed is not just a card but an agent that implements policies that align with user and enterprise requirements. Despite some early difficulties with animated character helpers maybe what will eventually become adopted by a significant group of people who have more complicated interactions online is to use a trusted advisor avatar.

Despite the fascination that identity security and privacy issues hold for people in the field, the average Joe “just isn’t that into you security” and many may prefer to delegate. The challenge will be to have enough involvement by users that there is informed consent.

Who to Trust Online?

I have recently done some research on trust and reputation in the online world and how you can differentiate online between the good guys and the bad guys. Google can be helpful but you need to decide which sources you believe.

It started with a computer article about not needing to upgrade HW/SW as a lifestyle (against geek convention) which recommended a life skills course.

A description of the course curriculum which might be interesting to people looking for self improvement.

After a google search, some info was obtained that strongly indicates this is a cult that could cause serious problems.

http://skepdic.com/landmark.html

http://www.rickross.com/reference/landmark/landmark87.html

http://www.apologeticsindex.org/l30.html

http://www.rickross.com/reference/landmark/landmark26.html

Another example, like Ginette’s lawyer story, about the advantages of using google to avoid scams and to check into things.

There is also a group that is categorizing web sites as a way of warning people of possible dangers. They have a plugin for Firefox which will indicate whether sites are dangerous from a computer malware point of view. The big question is how authoritative and trusted they can become and what criteria is used especially in the grey areas.

http://www.siteadvisor.com/

I had a nasty experience with some fake video codec software that turned out to be malware. This software actually provided notices that there was malware present and suggested paying for a program they provided which just installed more malware. Siteadvisor provides some cautionary indicators for spyaxe.net (**My warning is don’t download this software**) but it doesn’t actually provide a serious enough warning in my opinion. What I would recommend as one of the good guys for spyware prevention – pandasoftware.

Google research on what a variety of people are saying is still needed to get a more complete picture. The question with Google searches is whether the google ranking is a reliable indicator of the authoritativeness and trustworthiness of the source. Since google rankings are based in part on the number of links it is not directly based on authoritativeness but rather on the assumption that most people link to sites that they think are useful, accurate, or worthwhile. This can be also misleading since people can manipulate the rankings in various ways and notorious sites might also get a lot of links.

This same issue of authoritativeness and trustworthiness is also played out on projects like wikipedia since anyone can contribute information. A pessimist (realist?) might think that this type of approach would lead to a lot of inaccurate and misleading if not just graffiti type information. The amazing thing is that the information developed is actually in general quite good (check it out for yourself on a subject you have some knowledge about) because there are more good people who care more about providing and correcting information that is good and truthful than there are who want to mislead and distort for their own purposes. Maybe there is some hope for the democracy of caring online. Nevertheless we should not leave this to chance but look for improved ways of tipping the odds in favor of the good guys. There are some exciting things happening with social networking and online identity that could help address this increasingly important area.