Monday, July 28, 2003

The end of user-id / password ... ?

The use of user-id / password as the sole security mechanism has some disadvantages:

- the huge number of user-id/password combinations to be remembered,

- the possibility of keylogging at public Internet sites where one remotely accesses personal applications (webmail etc.).

This last risk is highlighted in a trial in New York City (see this article):

For more than a year, unbeknownst to people who used Internet terminals at Kinko's stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords.

Jiang had secretly installed, in at least 14 Kinko's stores, software that logs individual keystrokes. He captured more than 450 user names and passwords, using them to access and even open bank accounts online.