Thursday, November 15, 2007

Perfect Paper Passwords

I have been listening to the Security Now podcast from the beginning. It is a really good podcast about computer or network security. It is hosted by Steve Gibson and Leo Laporte. Steve is the creator of Spinrite, a hard disk repair and maintenance utility. He is also the author of several free utilities that can be found at his website. The podcast is all about security. Sometimes I think they talk too much about Spinrite, or e-book readers and I also think Leo sometimes falls asleep during the taping because he'll ask Steve questions that Steve already addressed. But anyway, other than that, it's a really good podcast.

Lately, there has been a lot of talk about one time use passwords. Steve had a need for his staff to securely log into the GRC network when they are away from their home. He wanted everything to be as impenetrable as possible. Sometimes I think Steve goes overboard. He would prefer NO risk of attack, whereas I understand that there will be some risk involved. I would rather it be easier than harder. The more hoops I have to jump, the more secure it is, but you're also increasing the frustration level if you already have a low risk of some one trying to break in. I mean, who really wants to read MY email? And there are some instances where the extra hoops aren't so frustrating, like my Paypal account. You can listen to episode 115 for all the details about why he came up with this, but he wanted something that couldn't be sniffed and used again later. I think what he has come up with is very good. And I think it will work for a few different websites or systems. For example, I think this would be perfect for Passpack or Clipperz. Websites like that have the potential of being targets, and this would give one more authentication factor that would be incredibly hard to attack.

The system Steve has come up with is called "Perfect Paper Passwords", or PPP. The website has all the information about it. Steve said that someone has already used his system to create a plug in for the Mac that will use this authentication system for logging into an OS X system. If someone comes up with something for Windows, I'd probably use it.

Also, I like my Paypal Security Key, but what Steve has come up with is better in a lot of ways. The biggest difference is cost. It doesn't cost anything to print out a card. And it will also have a low start up cost for websites too. It's just really cool. And I really hope Passpack and Clipperz will implement it, as I still use both of those sites and would enjoy the extra security.

And speaking of Passpack and Clipperz. I sent Steve feedback asking him about those two sites. He hasn't answered it yet, but he did answer someone else about a similar website called Passlet. I asked Steve what he thought of those sites, and based on his response to the Passlet question, he seems to think they are okay. But, Passlet is just plain ugly and doesn't provide nearly the same feature set as Passpack or Clipperz. Maybe Steve will still have a look at my question and answer it. I'm hoping he uses a tracker and will see this blog post. If not, I'll try again because I'd really like to know what he thinks of these sites, and maybe even compare it to Passlet.

(I realize I didn't say anything about Leo as an introduction. After all, who doesn't already know Leo?)