It seems many agree on the increasing complexity needed when working with passwords, security questions and general access privileges. I’ve heard from many of you that you’re facing similar issues not only with database access of course, but also with application and network security in general.
One thing that seems to be lagging in this regard is the work on the part of application developers to support a longer password or passphrase. Being more flexible when soliciting security questions seems to be starting with banks largely, and not yet a common in other areas as I’m sure it will end up being.
Some great feedback from David – "Web site logins are getting out of control… I have over 160 accounts in my RoboForm password management tool. Here are some thoughts for improvements to the standard user login techniques; I don’t know if they’ll solve all the problems that came up in the recent hack, but they’d be a step in the right direction, until the security experts figure out something entirely new.
– Don’t use email address as login name; let users select their own login name. This (if users use it right and create different logins across various sites) will prevent hackers who harvest logins from one site from being able to test those credentials against another site.
– Let users set any password they wish… get away from the "one upper, one lower, one number, one special character" requirements. Display hints as to how complex the user’s password is (Easy/Medium/Hard) like some sites are starting to do, and even require that the password is at least Medium or such, but allow users to meet that requirement with either length or complexity as they wish.
– Allow long passwords… up to 30 characters.
– Let users create their own security questions… maybe provide a standard list of options for users who aren’t sure what to choose, but allow more-sophisticated users to create their own questions.
– Some sites are starting to separate username and password entry into separate screens… I don’t know if some theory considers this more secure, but it can really be hard to automate the login with password management tools. Keep all entry on one screen."
Great feedback. By the way, if you’re not using a password management tool, now’s the time to consider it. They have the ability to generate new (complex) passwords and keep track of sites, passwords, user names and so-on. They’re one of those "whatever did I do before this!?" type of tools. I personally use RoboForm as well, but have no affiliation at all with them other than being an avid user.