Friday, August 08, 2008

How to steal my Google account

My old friend Brendan would know the answer to this Google password change security question:

Yes, to steal my Google account, my primary digital identity, all you need to know is my first phone number.

It's ok to sob quietly now. I understand.

I'm 187 years old, so not that many people know my first phone number any more. Only hackers who've broken into other security systems that ask the same question, and about a dozen other people. For anyone under 25 though, this isn't that hard to learn.

Ok, so I'm not a complete idiot. The answer I stored in Google for that question is a a 200 character hex string taken from GRC secure passwords. So you really would be better off stealing my primary password.

Google, on the other hand, is behaving like a complete idiot. Why is this?

That's the interesting question. It leads to some noteworthy conclusions ...
  1. Passwords are a complete fail. Schneier has been saying this for years. We are now into the realm of madness. We need multi-factor authentication devices that handle our secondary authentication for us. Yeah, it's not perfect, but, really, this is s#$!@# insane.
  2. We live in the age of the tyranny of the mean. Even the vast majority of geeks aren't going to figure out how to sync 1Password with an iPhone. Regular folks are going to use one password everywhere and then forget it. Google, like everyone else with these asinine security question is bowing to the reality that humans didn't evolve to live in a digital world. We're maxing out right now.

No comments: