How secure is your identity?
It all sounded so easy: Find somebody's Hotmail e-mail account, type the right Web address into your browser and you could change that account's password to one of your choice.
The Passport vulnerability - which Microsoft quickly fixed after its disclosure - illustrates the risks of trading convenience for security. And it shows what a mess identity management remains online
It all sounded so easy: Find somebody's Hotmail e-mail account, type the right Web address into your browser and you could change that account's password to one of your choice. Except that since Hotmail accounts are also "Passport'' accounts, you would also get control of the victim's identity across Microsoft's Web network and at such third-party sites as eBay.
I'd thought identity theft was this easy only in the movies.
But accidents will happen, and this one was reported May 7. The Passport vulnerability which Microsoft quickly fixed after its disclosure- illustrates the risks of trading convenience for security. And it shows what a mess identity management remains online.
With Passport, Microsoft is trying to solve a real problem. It is increasingly impossible to use the Web without entering one user name and password after another, even for such trivial tasks as buying a paperback or reading a newspaper story.
A unified sign-on system would relieve you of this drudgery and streamline the process of keeping such personal data as your address current imagine not having to update your shipping info at 10 different Web stores.
No losses yet
Passport delivers on that at about 300 sites, many Microsoft-run, including the MSN Messenger instant-messaging service and the Expedia travel site. Microsoft says this system remains safe and that it's never heard of any Passport user suffering actual losses from hacking of it.
"We don't have evidence at all that anyone's accounts have been compromised (in a way) where people lost data or financial tomfoolery went on,'' said Passport project manager Adam Sohn.
Sohn recently held forth on how a Passport identity is defended by more than just a password. For example, when more sensitive data is at stake, such as bank transactions, a site can ask for a separate four-digit ID number; one service in the United Kingdom takes this a step further by sending one-time keys to a user's cell-phone screen.
Should you buy into the Passport concept, however, you'll remain in password prison, because your Passport is no good at thousands of other popular sites. You can't use it to buy books at Amazon, rent cars at Travelocity or check your Yahoo e-mail.
Passport's competitors are deeper in the same box. AOL Time Warner's "Screen Name Service'' supports few sites beyond the New York media conglomerate's own Web properties. (Also of concern: The marketing-driven queries about marital status, income, education and career in the Screen Name Service questionnaire.)
A broad international consortium, going by the grandiose moniker of the "Liberty Alliance,'' is working to develop a Web-wide ID system unbeholden to any one company, but its principal output to date has been news releases and position papers.
None of these efforts has answered the biggest question about this entire concept: Is a single Web sign-on a good idea at all? Would you want to provide a target that big to marketing databases or identity thieves? Is inefficiency preferable to insecurity?
"Putting it all in one place doesn't make sense to me, because when those errors happen, (the downside) can be enormous,'' said Bruce Schneier, chief technical officer of Counterpane Internet Security, reciting from the risk-management catechism.
Different passwords
But if you won't want to trust any Web-wide system to protect your identity, and you also can't trust your own brain to remember all the different passwords needed in your day-to-day existence, what can you do?
One option is to always use the same user name and password. This gets you a Passport-like experience if done right, but also Passport-like risks: Once I know your password, I own you. I'll do this with meaningless log-ins if you want to read the Los Angeles Times as me, go ahead but not where money changes hands.
If you are going to use different, hard-to-guess passwords (nothing that shows up in the dictionary), two partially overlapping choices remain.
The first is to let your Web browser remember your passwords for you. Provided nobody else can get to your computer, this will work. (If it's a shared computer, you'd best stick with Netscape or Mozilla, which allow you to set a master password to block access to stored logins.)
The second is to store your passwords someplace where you can look them up. That's what I did: After forgetting my bank-card PIN one of the most embarrassing forms of forgetfulness possible in the modern world I typed those digits, along with every other password I could remember, into a text file and encrypted it with the Pretty Good Privacy program. That's worked well for me ... except when I've had to go home to log in to a site.
I asked Schneier, author of a password-management program and several books about security and cryptography, what he does. His answer surprised me.
He writes his passwords down on a card and sticks that in his wallet. No encryption, no invisible ink, no nothing.
What if the wallet gets stolen?
"If they stole my wallet, they're more likely to take my credit cards and my cash.'' And, he continued, this doesn't require any more work on his part: ``I already have to keep my wallet secure.''
That's simple enough it actually makes sense. And it beats waiting for the Web industry to figure out some system-wide solution.
© Los Angeles Times-Washington Post News Service
