Kill the Password: Why a String of Characters Can’t Protect Us Anymore | Gadget Lab | Wired.com

Kill the Password: Why a String of Characters Can’t Protect Us Anymore | Gadget Lab | Wired.com: “Think of the dilemma this way: Any password-reset system that will be acceptable to a 65-year-old user will fall in seconds to a 14-year-old hacker.”

Mat Honan nails it: the password system is irretrievably broken, and the only security any of us really have is our relative anonymity. We aren’t hacked because we don’t matter, not because our defenses are too strong. And we don’t get to decide if and when we matter enough to be hacked.

More quotes from the article:

Last spring hackers broke into the security company RSA and stole data relating to its SecurID tokens, supposedly hack-proof devices that provide secondary codes to accompany passwords. RSA never divulged just what was taken, but it’s widely believed that the hackers got enough data to duplicate the numbers the tokens generate. If they also learned the tokens’ device IDs, they’d be able to penetrate the most secure systems in corporate America.

Whoops! The apparent security that the SecurID widget thing on your keyring may not be protecting anything!

How about Gmail’s two-factor authentication? Honan tells the story of Matthew Prince:

Prince’s hackers used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. Two-factor just added a second step and a little expense.

Read the article. You’ll cringe all the way through it. Honan finishes with:

Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.