Found your password on Google!

Posted  June 5, 2007 By Steve

Here’s another "Why two-factor?" article. The good people at the Symantec Security Response Weblog have a post called Found Your Password On a Search Engine.

It’s a great story about what can happen through malware. But, that can be just the tip of the iceberg. Any website that you’ve ever given a username and password to could theoretically be attacked, and your information can be taken that way.

There are a couple of solutions to this problem. From the perspective of end users, it’s very important that you give websites unique passwords, and in general, don’t give out any more information than you absolutely have to.

For IT administrators or anyone that has an application to protect, the problem is much harder: you have to make sure 100% of your users do the right thing on password security.

The only real solution to the second problem is to use two-factor authentication like PhoneFactor. While users may pick bad passwords, they will jealously guard their phones, so even if the password list is stolen, the attacker can’t make any use of it without also collecting users’ phones. That makes the problem much, much more difficult for the bad guys.