{"id":649,"date":"2012-02-01T20:52:06","date_gmt":"2012-02-02T02:52:06","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=649"},"modified":"2012-02-01T20:54:58","modified_gmt":"2012-02-02T02:54:58","slug":"passwords-authentication-and-privilege","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2012\/02\/passwords-authentication-and-privilege\/","title":{"rendered":"Passwords, Authentication, and Privilege"},"content":{"rendered":"

Gizmodo has decreed that today, February 1st, is \u201cChange Your Password<\/a>\u201d day. I wholeheartedly agree, especially if you re-used passwords (which you shouldn\u2019t!). In fact, I\u2019d go further: change your password, and start using a password manager<\/a>. Did I changed my passwords today? I did not, because I used said password manager. I don\u2019t reuse passwords, and my passwords are all random. So even if one is revealed<\/a>, it\u2019s not going to make a difference outside of that one website.<\/p>\n

<\/p>\n

But I\u2019ve been thinking beyond passwords lately to the broader subject of authentication, which I think is where the real issues are. Take online finance. I use Quicken, which I hate<\/a>. However, I have more than 15 years of data in Quicken that won\u2019t easily move elsewhere, so I have few choices as to where I can go. One popular alternative finance site is Mint.com<\/a>, which has a pretty strong following online. It allows you to pull in data from all of your banks so you can have a centralized view of your finances, much like Quicken. Unlike Quicken, it\u2019s web-based, and it can send you alerts based on balances, fraudulent activity, and so forth.<\/p>\n

To get this information, Mint obviously needs to be able to access your banking information. They do they by storing your bank login credentials, although they say that they only have read-only access to your banking data, so even if your Mint account was compromised, criminals couldn\u2019t move your money anywhere. Of greater concern is that they (or, more accurately, a third party<\/a>) has that data. Mint claims that it is super-secure, encrypted, all that jazz, and I have no reason to doubt them. All the same, though, it makes me uncomfortable, which is one of the reasons I won\u2019t use it and instead rely of credentials stored securely just on my computer instead of in the cloud.<\/p>\n

The problem is with authentication, and frankly, it\u2019s with the banks themselves. Mint shouldn\u2019t need to have access to my all-powerful banking logins. I should be able to create additional logins with my banks with differing privilege levels that are completely unrelated to my \u201csuperuser\u201d account. That way, I could expressly create a read-only login and use that with Mint, Quicken, and wherever else necessary. I shouldn\u2019t have to rely on the proper storage of my credentials at Mint or anywhere else to protect me; I should be able to limit rights directly. Sadly, as far as I know, few if any banks allow this, even though technologies are available<\/a> to allow this.<\/p>\n

So yes, change your passwords. Stop reusing them. But unique, strong passwords are not enough. We need more granular control over the access we have online, so we can put up stronger firewalls around our data while still allowing it to be used.<\/p>\n","protected":false},"excerpt":{"rendered":"

Gizmodo has decreed that today, February 1st, is \u201cChange Your Password\u201d day. I wholeheartedly agree, especially if you re-used passwords (which you shouldn\u2019t!). In fact, I\u2019d go further: change your password, and start using a password manager. Did I changed my passwords today? I did not, because I used said password manager. I don\u2019t reuse… Continue reading Passwords, Authentication, and Privilege<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[127],"tags":[152,76],"class_list":["post-649","post","type-post","status-publish","format-standard","hentry","category-security","tag-authentication","tag-password","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=649"}],"version-history":[{"count":2,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/649\/revisions"}],"predecessor-version":[{"id":651,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/649\/revisions\/651"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}