Honest. I heard there were some pictures of some celebrities leaked on the Internet. I didn’t seek them out, so it is hearsay, of course. My wife mightn’t have been too happy if I’d sought out those photos.
The photos were allegedly taken from an Internet photo site. I have heard that the thieves guessed answers to security questions to access the sites. Last time I wrote about this I commented about the weakness of security questions. I haven’t changed my mind. Unfortunately I doubt that those whose pictures were shared read that post, and I doubt if they will read this one. Neither they nor millions of people will get the message here or anywhere else.
I watched the news coverage of the photo leak. The discussions centered around whose fault was it, the thieves or the celebrities. Some said the thieves because they stole the images. Others said it was the celebs’ fault for not using good security and for posting the images in the first place. Sadly, there were few outlets that called in security folks to really stress the dangers of answering security questions with easy-to-guess answers. (As far as I can tell “few” means “none” here.)
In Learning Tree Course 468, System and Network Security Introduction we discuss easy-to-guess passwords, PINS and security questions. People laugh when I say you shouldn’t use the name of the dog whose picture you post on Facebook each evening. But if celebs use their dog’s name and that pet is talked about online, it’s just like giving out your password.
This is why two step authentication is a winner. If you have to have your phone (or a token) to access a needed time-based code, it’s hard for an attacker to break in to your account! The problem is that it is also time-consuming (another few seconds, but still…) and requires locating the phone, entering the PIN, and so forth.
It would be so cool if there were something better. A reliable difficult-to-hack biometric scheme for websites that would be so inexpensive, reliable and simple that it would quickly become ubiquitous would be wonderful. I haven’t seen such a thing, though, so two step will have to do.
What do you think? Do you love two-step auth? Do you have a better idea? How can we get the word out about weak passwords, questions and PINS (in addition to getting folks to take Learning Tree Course 468, System and Network Security Introduction – it’s not for everyone)? Let us know in the comments below.
To your safe computing,