* Posts by Jonathan G Craymer

4 publicly visible posts • joined 1 Mar 2013

Brit firm PinPlus flogs another password 'n' PIN killer

Jonathan G Craymer

Re: the human factor

I agree that people generally try to use really easily memorised passwords - and that has always been one of the problems with passwords. Another is that administrators have little real control over the strength of a password a user elects to use. Sure you can set up systems that insist on mixtures of characters, and you can also ban "dictionary" words, but you have little control over users who insist on having a password which say relates to them in some way that a hacker might guess, but the user has simply "disguised" it with 3s instead of Es etc. However the great advantage of a system like PinPlus (pin+) is that it can to a great extent police itself (you can set it to ban things like straight lines - which would prevent someone just choosing the top line) and it can guide the user to set up something really strong, yet easily remembered - because it's a brain-friendly shape or pattern.

Jonathan G Craymer

Re: flawed if delivered via webpages ?

pin+ is intended to raise the bar over passwords or PINs, and we believe it's vastly superior to ordinary fixed user-IDs (which are of course "gone" the moment a hacker sees it or captures them) when used on web portals. If a user needs more security, he/she can always use pin+ on a separate device (phone?).

Jonathan G Craymer

Re: Where is the code shown?

Is it perhaps time we moved on from the old idea of "two factor" - as let's be realistic, people don't like having to carry things with them, or even if they do, there usually comes a time when they've left the token or phone or whatever back at the office or in the wife's/husband's car. Perhaps the term "too fagged to.." authentication might be better? As in "I was too fagged to carry a hard token"? Also think about it - any secondary device which says "I'm me" can be stolen and the thief can pretend to be you. OK say it's a token with a 4-digit PIN. If that's key-logged and the token stolen, the thief can impersonate you. Similarly with a phone showing an SMS-transmitted one-time code in plain text. For a colleague who knows how to partly log in to your account, this could be a God-send if you leave your phone unattended on your desk. He starts to log in, using your email (which he knows) and gets the code showing up on the phone. What we really need is something less hardware based, like passwords, only better?

Jonathan G Craymer

Re: Possible attack?

pin+ only used six digits 0-5. No solution is going to be unhackable, but we reckon this makes life a lot more difficult for a hacker.