Friday, September 19, 2008

Palin email hacked through password reset - educating America

We are truly in the twilight of the password.
BBC NEWS | Technology | Palin e-mail hack details emerge: "It is thought the attackers exploited the password resetting system of Yahoo s e-mail service."
Password reset mechanisms, like Google's brain-dead system, are one sign of the end time. Another is the insane security questions we're asked now. (Vanguard is particularly stupid in their use of a security question, but Fidelity wins the prize for the world's stupidest password policy.)

Geeks have known for at least 8 years that passwords were finished, and security analysts have known this for perhaps forty years. It takes a while for these things to trickle out though; we suffer from the tyranny of the mean in this as in so many other domains.

Palin now joins Paris Hilton in helping educate the American people how truly screwed we are.

The only good news is that two factor identification is starting to get out (though myOpenIDs current implementation is aggravatingly wrong). Biometrics integrated with our cell phone has to be one piece of the puzzle, we can't get it fast enough.

Update 9/24/08: Schneier, under pressure, finally comments. Sort of. What can he say that he hasn't said well for many years? The sheer, unrelenting, stark stupidity of the "security question" makes any commentary pointless. It's persistence is a sign that we're reaching the end of the human run.

No comments: