Why password is not enough
Jan 13th, 2008 by Jesper Kråkhede
In the last days an interesting story has been published in a swedish newspaper regarding a site that has been hacked and lost the whole account database. A lot of passwords and connected emailadresses was later posted in a forum and that was when the bad things started to happend. In a following article a girls describes how she have lost control of he email, sites where she have used her creditcard number and onlineshops. In still one article a police officer describes how secret investigation material has been lost becuase he used same password at the hacked site as in his gmail account.
What does this show us? Password is not enough anymore. If you trust your user to create their own password they will use those passwords on other places on internet and if they are hacked the integrity of your systems could be at stake. From a security architecture perspective you have involentary included the internet sites in your trusted computing base through your users. To mitigate this threat you need to implement two factor authentication like certificates or pinpads. What have happend is just an example of a riskanalysis that have showed to actually happend.