Monday, November 19, 2007

Business Idea: Third-Party Password Custodian

This Cringely column got me thinking...

Identity thieves aren't so lazy, especially when they have technology to help them. They can start a sweepstakes website that requires only free registration to win that cruise of a lifetime to Bora Bora. And in doing so the thieves can know that a majority of registrants will use a username and password combination that they also use at a lot of other sites, like bank and brokerage accounts. Not only don't they need to actually award the cruise, they don't even have to break into your bank account in order to benefit from the username/password combo. They just sell that information to another crook.

That is kind of scary. I don't tend to register for sweepstakes, but you never know. Plus, there is the old "inside job" possibility, that a company employee will steal and sell your data. Because I DO register for a lot of eCommerce sites. I know, the first line of defense is to use a special password for financial accounts.

Wouldn't a well-established, highly-trusted third-party password custodian be the solution? Kind of like how it works with the certificate authorities in PKI? So you register your User ID for each site, along with a master password (you get to have more than 1 master password, if you want), and then that site generates a strong password for you, which you don't even need to know, and performs the actual login, using that password. I remember reading, several years ago, about a hardware device that did this.

Also, a nice enhancement, to defeat keystroke-loggers, would be to present a bitmap of the alphabet, to allow graphical log-in.

No comments:

Post a Comment