[sc:internet-category ]Authentication and security has always been an issue with computers, but with the advent of the Internet and more recently cloud computing, plain old passwords just don’t seem to cut it any more.
I recently had one of my ISP e-mail accounts (which I haven’t used in years) get hacked. It was a simple password and I guess the brute force of one of the bot nets finally cracked it. Not a big deal, as I said, the account was dormant and only a couple of old contacts were in it (in fact only one contact was still valid). I noticed the hack when I received the bounce messages in to my main mailbox and look in to it.
Of course the first thing I did was to re-secure the account. I didn’t give it much more thought until I saw the announcement from Microsoft that they would be implementing two factor authentication on Microsoft accounts.
At first this seemed like a really good idea, an application on your cell phone gives you the second factor and away you go. Then I though about it some more. While I don’t use many cloud services that I have to logon to each day, every once in a while I do and the thought of having to always have my phone with me and having to run an app just to login seems kind of a pain.
Even if the phone is in your pocket you could still be taking an extra 10 seconds for each logon. If you do it 5 or 6 times a day, that’s a minute wasted. Stretch over say 10 years, that eats up 2.5 days worth of time.
And does it really add security? For weak password protected accounts, certainly. But if instead of two factor authentication you instead used a longer password would it accomplish a similar goal without causing such an impact in time? Let’s say I’m a reasonable typist, typing in an 8 character password probably takes 2 seconds, while a 24 character password would only take 6 seconds (probably a lot less once you get use to typing it). Practically speaking a 24 character password will be impenetrable on any service that is even half way decently configured to limit the attempts at brute force attacks.
It also means I can access my accounts if I lose my phone, or leave it at home or in any other situation where I may not have it with me.
Of course it doesn’t protect people who use easy to guess passwords, but they’re not the people who will use it anyway so while it’s good to have as an option, I don’t think I’ll be converting over until I absolutely have to.