Security Consistency: Should we standardize password requirements?
I saw a presentation earlier this week where a researcher was talking about consumer education with respect to security. The researcher said that one way to make security education more consistent would be for websites to all have consistent requirements around passwords. For example, all websites should require that passwords have at least 8 characters and should include on capital letter, one digit, and one punctuation mark.
While I am all for having consistent messaging around security practices and even encouraging users to have secure passwords, I worry about the implications.
Imagine a world where every website had the exact same requirements for passwords. Even if the passwords were secure, the risk is allowing people to have the same password on every website. In this case, if the bad actors were able to phish the password for one of my accounts, and they had my email address, they would likely be able to access many of my accounts.
To make matters worse, once the bad actor has the password for one of my accounts, they will be able to login to my email account which will let them do a forgot my password function on almost any other account.
While I applaud researchers for thinking of ways to make security education more consistent, making password requirements consistent has more negative ramifications than benefits.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- December 2009 (5)
- November 2009 (7)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
