The New York Times takes a look at other tech vulnerabilities, besides insecure passwords:
Some computer security experts are advancing the heretical thought that passwords might not need to be â€œstrong,â€ or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we arenâ€™t paying enough attention to more potent threats.
Hereâ€™s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes â€” including the strongest passwords you can concoct â€” and then sends it surreptitiously to a remote location. […]
Donald A. Norman, a co-founder of the Nielsen Norman Group, a design consulting firm in Fremont, Calif., makes a similar case. In â€œWhen Security Gets in the Way,â€ an essay published last year, he noted the password rules of Northwestern University, where he then taught. It was a daunting list of 15 requirements. He said unreasonable rules can end up rendering a system less secure: users end up writing down passwords and storing them in places that can be readily discovered. […]
A short password wouldnâ€™t work well if an attacker could try every possible combination in quick succession. But as [security researchers Cormac Herley and Dinei FlorÃªncio] note, commercial sites can block â€œbrute-force attacksâ€ by locking an account after a given number of failed log-in attempts. â€œIf an account is locked for 24 hours after three unsuccessful attempts,â€ they write, â€œa six-digit PIN can withstand 100 years of sustained attack.â€ […]
Roger A. Safian, a senior data security analyst at Northwestern, says that unlike Amazon, the university is unfortunately vulnerable to brute-force attacks in that it doesnâ€™t lock out accounts after failed log-ins. The reason, he says, is that anyone could use a lockout policy to try logging in to a victimâ€™s account, â€œknowing that you wonâ€™t succeed, but also knowing that the victim wonâ€™t be able to use the account, either.â€ (Such thoughts may occur to a student facing an unwelcome exam, who could block a professor from preparations.)