Twitter has apparently fallen foul of a phishing attack, alerting some users to reset their passwords and urging them to choose hard to guess passwords using a mix of words, numbers and symbols.
Passwords are an obvious security weakness in any system. They are so hard to remember, that of course people will use obvious words or numbers and re-use them across many sites. Or just as bad, write them down on a Post-it and stick it on their desk or laptop.
Stephen Hower, CEO of GrIDsure, points out that this method of security is flawed: “The owners of these sites have chosen this method of authentication in the misguided view that it is cheap and offers a good level of security. In reality, it is neither. As we’ve seen, passwords can be compromised through various forms of attack, including shoulder-surfing, key-logging and screen-scraping.”
As a purveyor of alternatives to PINS and passwords, Hower clearly has a vested interest in highlighting the flaws of the user name/passwords combo, but he has a point. Why does the user name/password combo remain so prevalent, when this method of authentication is insecure?