Re: Authentication barrier

Janina wrote:
> Moral of the story? If ya'gotta right it down, right it in an encrypted file/location.
...  If it's written down in plain sight, it's easily harvested.
    
I'm afraid it's more complex than that these days, whilst having your passwords in your own encrypted file might be ideal from a security point of view, you have to balance it with how humans work.

Many (most!) people struggle with an encrypted file, it's a difficult to use extra layer.
Some struggle with password managers or even browser-saved passwords.

There's a great article from security researcher/trainer Troy Hunt (who runs haveibeenpwned.com), a brief quote from a long article:
"We all know people for whom LastPass, 1Password and all the other ones pose insurmountable usability barriers. They might be elderly or technically illiterate or just not bought in enough to the whole password manager value proposition to make it happen. 

They're doing the memory thing and failing badly at it, but then you give them the password book. They write down sites and passwords because hey, it's a pen and paper this is something they understand well. Then they put their unencrypted, plain text passwords in a drawer. 

Their "threat actors" are anyone who can access that drawer and right off the bat, that's a significantly smaller number of people than what can take a shot at logging onto online services using the usual poorly thought-out passwords people have."
https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/ 

It's all relative, but asking people to remember strong passwords is actually worse (on average) than letting them write it down. 

Like a lot of accessibility, the authentication SC should push for multiple ways of doing something to allow for adaptability.

Cheers,

-Alastair

Received on Thursday, 31 January 2019 17:22:29 UTC