There's been buzz in computer hardware blogs over the past few days about how faster processors (and GPUs in particular) are rendering strong passwords "useless." One experimenter, named Vijay Devakumar, posted a description of his success at cracking passwords, which has been recently picked up by bloggers on
Saul Hansell of the Washington Post has posted an article about real time attacks on one-time password tokens like SecurID and SafeWord. The strategy is to steal a user's one-time password after it is typed in and redirect it to a hacker to exploit immediately. The attack relies on Trojan software that has installed itself in the victim's computer.
One time passwords were not designed to protect against this type of thing. Once you have that sort of trojan, there's no way to use your computer reliably. Attackers can intercept what you're doing, change it to benefit them, and you won't know what happened until you look at your bank statement.
The only way to protect against such things is to ensure that your computer has not been hacked. This is hard, since there are lots of ways to attack a computer and not nearly as many ways to protect it.
Here's the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you're going to slack off, do it when registering to post a one-off blog comment.
Let me take a stab at my own list of recommendations.
Will Norris is working on a revision to OpenID for WordPress. This is good, and I have some observations and suggestions. At the moment the OpenID plugin works pretty well - I have separate logins delegated through domains I own. I routinely log in through OpenID for both routine and administrative activities.
These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.
There are four patterns: local, direct, indirect, and off-line.
Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for "works every time" OpenID delegation with their free PIP service. First, what is OpenID delegation?
Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use http://www.cryptosmith.com/ to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.
Mozilla, like most responsible web browsers, pops up a warning if someone visits a secure web site where the site's crypto credentials have not been countersigned by a recognized certificate authority.
In Slashdot, Chandon Seldon arues that the Mozilla SSL Policy is Bad For the Web., which links to material by Nat Tuck saying, again, Mozilla SSL policy bad for the Web. The argument is that this policy violates net neutrality by forcing people into a commercial venue if they want their secure connections to be user friendly. The commentaries find this especially troublesome for nonprofit organizations.
This is nonsense. Net Neutrality is about connectivity. SSL is about security and assured identification. Web browsers pop up a complaint about authentication when they can't verify a site's identity - that's what the browser is supposed to do. SSL certificate management is the best affirmative defense in the Internet today and these suggestions will only weaken it.