0 Members and 2 Guests are viewing this topic.
We – the users – are supposed to be responsible, and are told what to do to stay secure. For example: “Don’t use the same password on different sites.” “Use strong passwords.” “Give good answers to security questions.” But here’s the troublesome equation: more services used = more passwords needed = more user pain… which means it only gets harder and harder to follow such advice. Why? Because security and practicality are in conflict.Markus JakobssonA security researcher, Dr. Markus Jakobsson is one of the main contributors to the understanding of phishing and crimeware. He holds over 50 patents and 100+ pending patents; is a co-founder of four startups spanning user authentication, mobile malware detection, and secure user messaging; and has published a collection of books. Jakobsson is Principal Scientist of Consumer Security at PayPal.But they don’t have to be. As someone who has studied millions of passwords and how they were constructed – I’ve spent most of my waking hours for over a decade obsessing about authentication methods – I say we can have both security and practicality.And it starts with recognizing that a lot of security advice hurts more than it helps......One common suggestion is taking a word, let’s say “Elvis”, and replacing letters with digits to get “3lv1s”. While this makes a password memorable – presuming we won’t forget Elvis – it doesn’t make it that much more secure. Because everybody makes changes just like that.......So how do we select strong and memorable passwords? Here’s how: Think of a story, something weird and memorable that happened to you. Like that time you went jogging and stepped on a rat (ugh). Your password? “JogStepRat”: Your personal story boiled down to three words. If this really happened to you, you won’t forget. And no one else can guess it – unless you’ve told everyone that story, but then you’d just pick another, more embarrassing source story you’d never share!This approach isn’t just conjecture: It works. It’s been tested at a large scale, and this type of password has twice the bit security of an average password. I kid you not.