It sounds like such a good idea. When you log on to a new device they send you a text with a verification code. Great! It makes sure that only the person with the mobile can get into your google account.
One thing I didn't understand - How do I get rid of the cookie on a public PC. I didn't see a question on the login page!
Unfortunately the downsides out way the security advantage.
Minor downside.
I'm in the habit of clearing the browser store - cache, cookies, etc., so that means I get a text. On the screen it says enter the verification code ending in 20. None of the six digits in the text message are either 2 or 0. The code worked, or I wouldn't be blogging now!
Major downside.
For applications that don't have cookies - in my case thunderbird - there are application passwords "that you should only have to enter once". I keep my passwords in my brain. I do not let applications remember them. That I consider the safer option. I cannot remember 16 random characters, I would have to write it down - defeating the whole point of passwords in the first place.
Password security.
It is each applications responsibility to make the password that a user chooses safe. Strong passwords are a con. A password cracker that simple tries letters until it gets logged on will still get there and quickly even with a 16 character password. Password crackers can be delayed. The application simply waits 1 second before telling the user their password is wrong. 2 seconds next time, 4 after that - and so on. The user will hardly notice the delay for a simple miss-key. The password cracker can now only try 6 passwords in the first minute.
No comments:
Post a Comment