Username and Passwords Are Facilitating Fraud
In 2005, the Federal Financial Institutions Examination Council stated:
“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”
Here we are in 2011, six years later, and well over half a billion records have been breached. And while it is true that not all of the compromised records were held by financial institutions, or were accounts considered “high-risk transactions,” many of those breached accounts have resulted in financial fraud or account takeover.
Back in 2005, you might have had two to five accounts that required you to create a username and password in order to log in. Today, you may have 20 to 30. Personally, I have over 700.
The biggest problem today is people most often use the same username and password combination for all 20 to 30 accounts. So if your username is name@emailaddress.com, and your password is abc123 for one website that ends up getting hacked, it will be easy enough for the bad guy to try those login credentials at other popular websites, just to see if the key fits.
The quick and simple solution is to use a different username and password combination for each account. The long-term solution is for website operators to require multifactor identification, which may include an ever-changing password generated by a text message, or a unique biometric identification.
Until that time, the three best tips to create an easy to remember but hard to guess string password are as follows:
Strong passwords are easy to remember but hard to guess. “Iam:)2b29!” consists of ten characters and says, “I am happy to be 29!” (I wish).
Use the keyboard as a palette to create shapes. “%tgbHU8*” forms a V if you look at the placement of the keys on your keyboard. To periodically refresh this password, you can move the V across the keyboard, or try a W if you’re feeling crazy.
Have fun with known short codes or sentences or phrases. “2B-or-Not_2b?” says, “To be or not to be?”
Robert Siciliano, personal security expert contributor to Just Ask Gemalto.