SoylentNews is people
SoylentNews
from the isn't-it-about-time-to-move-on dept.
Submitted via IRC for TheMightyBuzzard
A global study from IBM Security examining consumer perspectives around digital identity and authentication today, found that people now prioritize security over convenience when logging into applications and devices.
Generational differences also emerged showing that younger adults are putting less care into traditional password hygiene, yet are more likely to use biometrics, multifactor authentication and password managers to improve their personal security.
With millennials quickly becoming the largest generation in today's workforce, these trends may impact how employers and technology companies provide access to devices and applications in the near future. Overall, respondents recognized the benefits of biometric technologies like fingerprint readers, facial scans and voice recognition, as threats to their digital identity continue to mount.
Source: https://www.helpnetsecurity.com/2018/01/29/authentication-today/
(Score: 0) by Anonymous Coward on Tuesday January 30 2018, @05:20AM (7 children)
But they don't get better security. The state just gets better tracking, of everything you do, everywhere you go, everything you buy. "Security" is bullshit. It certainly isn't for yours. And in fact, all this does is make fraud more convenient than trying to be honest. If my real credentials don't work, I just get some fake ones that will work better, and easier.
We have every right to demand convenience, and security. There is no reason to sacrifice one for the other. With sufficient demand we will get what we want. Unfortunately we have to do it together.
(Score: 5, Insightful) by maxwell demon on Tuesday January 30 2018, @06:12AM (5 children)
"We have every right to demand both eating our cake and having it. There is no reason to sacrifice one for the other."
Security is inconvenience. Even a simple password prompt is an inconvenience. You cannot get security without inconvenience.
Biometrics is convenience (no need to have to remember passwords), but at the cost of security (biometrics are not unbreakable, as has been frequently proved, and if your biometrics has been cracked, you cannot simply replace it).
Two-factor authentification is security, but at the cost of inconvenience (you have to carry around that second factor; if you use the phone as second factor, you get more convenience because you carry it around anyway, but at the same time less security because phones are greatly more hackable than dedicated authentication devices).
Password managers are a mixed bag. In principle, they don't give more security, as they just store passwords; theoretically you'd be more secure by storing those passwords in your head. In practice, they actually can increase security because our brain's ability to hold strong passwords is not very good (OTOH, a weak password on your password manager effectively weakens all passwords stored in it). The password managers on one hand increase convenience because you have to remember less passwords (just the one for your password manager), on the other hand decrease it because you always have to have your password manager around, and if you happen to forget your password manager's password, the shit really hit the fan.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Informative) by anubi on Tuesday January 30 2018, @06:47AM (3 children)
My main beef with password managers is monoculture.
Once the encryption algorithm of *that* manager has been compromised, all the others are apt to be compromised as well.
Once the word is out how a "bump key" works, nearly all mechanical locks of that design are degraded as far as security goes.
Personally, I consider the lock as nothing more than evidence that I intended no access, and violation of my lock is only evidence that entry was gained without permission. I have other methods ( covert cameras ) to document the act so I can seek redress in a court of law.
Everybody has known for years that locking your car is no defense against a Slim Jim. I have even had to use that way myself a couple of times when I locked my keys in the car.
The thing that concerns me these days is how impersonal identity theft has become. All done by scripts. I never will know who is dinging me, and nearly every business demands my info with the quite legitimate reason that they need to vet me... problem is they keep sharing that information, willingly or accidentally, so that slowly but surely, everyone's private affairs get cross-referenced and indexed onto darkweb databases. Nothing is private anymore. I don't have anything that can't be replicated sufficiently to deceive a sensor so as to perform actions in my name.
The number one reason for my failure to accept even "micropayments" on the web is because in order to pay, even one cent, I have to reveal my payment credentials. I can trust NOBODY. Not even Equifax! They all *say* they can be trusted, but their fine print all says "if you actually believe what we told you in large print, you are a big trusting fool!".
I can't shut down everything, but I will avoid any kind of payment / identification for certain things, well known to be highly risky, such as porn, warez, pirated stuff, anything illegal, gambling, and games. I don't even have a google account yet. I use an anonymous email account, which I would pay for, if I knew beyond a shadow of a doubt, that they would not share my real info. I have researched through Spokeo and already there is far more stuff out there on me than I feel comfortable with. As a result of the Equifax breach, I know that there is enough out there to confuse the entire population of the world as to who is really who.
Its no longer a function of being careful.
Its now a function of pure statistics as to when my identity is going to be misused.
My best attempt to cope with this was to adopt a much lower lifestyle, so little is at risk. Own your stuff outright and pay cash when possible, using credit cards if necessary for telepurchases. Pay your debts off. If you have money laying around, keep it in some sort of investment which requires you to interface with your banker/broker. Personally. Something fishy come over the wire, and they will question it.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by c0lo on Tuesday January 30 2018, @07:46AM (2 children)
Yes, but recall that joke with the guy donning his runners and telling his companion: 'i don't need to run faster than the lion, I only need to run faster than you'.
If a hacker targets you, it's only a matter of time before he gets your identity. If you are only one of the many, you only need to be a bit 'more secure' than the most of others.
True, given how many companies store data about you, you have little control on what/when the things go south. Minimising your profile involve indeed minimising the number of companies you share your data with.
Also, which devices you use to interact with them.
I'm using a single payment processor and that is linked with a debit card account which is loaded only minutes before making a purchase. If a webshop doesn't accept that payment processor, I don't buy from that shop.
And I do my online shopping and ebanking only from a laptop at home, laptop that runs Linux (thanks deity the era of IE-only supported is dead), laptop that never leaves my home and is powered off most of the time.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by arslan on Wednesday January 31 2018, @12:59AM (1 child)
Eh? That analogy only stands for instance when the hacker is targeting individuals, not when they're targeting data dumps. The analogy to that would be you running faster than me is useless if there's a tsunami coming at all of us. I have to be running faster than that...
(Score: 2) by c0lo on Wednesday January 31 2018, @02:09AM
Works in this case too. Assuming your passwd is not based on dictionary words, the digest of it in the dump will be harder to crack. After getting enough passwords reversed, I have a feeling the attacker will just let yours be.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0, Informative) by Anonymous Coward on Tuesday January 30 2018, @05:51PM
Security is inconvenience
That is a lie. It is supposed to be only inconvenient for the crook, not the user. We have to put the burden on the people who run the system. The problem is that we believe all their bullshit that "it's too hard". They are liars, and we have to call them on it and put them out of business if they don't provide what we demand. That is how we are supposed to work the "free markets". If we don't demand good service, we won't get it. The clarity is overwhelming.
(Score: 2) by DannyB on Tuesday January 30 2018, @05:19PM
Security vs Convenience.
Someone else already pointed out how these are a tradeoff.
I'll give an actual example.
I build a web application. People testing need to log in to it fifty times a day. So I built a feature where the server can be configured with pre-set credentials. When the login page is displayed, the name / password are pre-filled out with the configured values. This does NOT make those configured values valid. It just means you don't have to type them in. The server's configuration is only controllable by the server's owner. (And if not, then you've already got bigger problems.) It is still necessary to know credentials to put them into the config file. On test servers, these credentials don't provide access to anything but test data. Production servers are never configured this way. (And again, if an outsider knew valid credentials, and the config file could be manipulated by an outsider, then you've already got bigger problems.) There is also a compile time feature which determines if a compiled server even has this configuration feature available. Various development and testing features are controlled by compile time flags -- which the "About page" will indicate as flags in the version information so it is possible to detect a misconfiguration of the compilation stage of the build.
The feature has one more thing in addition to the name / password. It has an "autologin" flag. That way when testing, it is not necessary to visit the login page. Just accessing any bookmarked URL, which normally would route you through the login procedure first, ultimately gets you automagically logged in, and routed back to the bookmarked action you are testing.
This is an example of security versus convenience. I built a convenience that can be configured to bypass security, for internal porpoises.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.