See Full Story
It has been a heck of a year for password/password hash disclosures. In the same week in June, millions of password hashes were disclosed from LinkedIn, eHarmony and Last.fm. And in the same week in July, more than 450,000 usernames and unencrypted passwords were reportedly stolen from Yahoo Voice, while 420,000 password hashes were leaked as a result of an attack on the social networking site, Formspring. These events have drawn a lot of attention to the issue of password security.
Just the fact that we are still living in a password world is annoying. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. People need to understand that neither the strength of your password or having it locked-up in Fort Knox will mean anything when it is stolen from the source! The only real solution is to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.