OTPs more secure than user passwords
PUBLISHED ONOctober 21, 2014 6:00 PMByIrene Tham
Psst, your password is not safe.
Why not try what security experts might consider a hack-resistant one: CrtUlh46ag95BBnjs?
Next, set a separate password for every online account, and you will make the hacker's job a lot harder. Such measures might appeal to those seeking the utmost protection, but they are not feasible for most users.
Today's Internet user subscribes to more than a dozen password-protected online services such as Facebook and Gmail. People also have work e-mail and corporate systems, as well as online accounts with various banks and brokerages - all need passwords.
For convenience, many use the same password across every platform - a lax practice that security experts often blame for data leaks.
Last month, nude photos of more than 100 celebrities were leaked from online storage service iCloud, purportedly because of stolen passwords.
Last week, hackers posted online the passwords for hundreds of Dropbox accounts.
Mr Bryce Boland, the chief technology officer for the Asia-Pacific at security specialist FireEye, said: "Having a common password is like putting all your eggs in one basket. If one account is compromised, all of them are exposed."
Users are urged to set complex passwords and change them regularly. A complex password has letters of the alphabet in upper and lower case, as well as numerals and possibly a special character such as a dash.
But, surely, there must be a better alternative. The answer can be found in a security tool already in use - a randomly generated one-time password (OTP).
Most service providers today require users to enter an OTP in addition to the usual user name and password, in a process called two-factor authentication (2FA).
Accounts are more secure as hackers need to have the user's mobile device to receive the OTP via SMS, or a security token to generate the password.
One organisation in Singapore has taken the OTP tool to a new level of convenience.
Others should emulate the National Trades Union Congress (NTUC), whose 600,000 members no longer have to worry about remembering passwords. Since April, they need enter only their user name and an OTP on the NTUC website to book a chalet or apply for a course.
The national umbrella body for trade unions said members often forgot passwords and asked to have them reset. As a result, it did away with the password altogether.
"An OTP is more secure than a static password. This is a better form of protection as it is not dependent on a user's ability to create a complex password," said Mr Chai Chin Loon, the chief operating officer of Assurity Trusted Solutions, a locally based security specialist.
Doing away with user passwords also helps streamline the log-in process, which could promote the use of 2FA.
Even so, Mr Chai said: "Most people have not opted for 2FA - although many service providers already have this security feature - because they think it is inconvenient."
Well, it could hardly be more inconvenient than having to set a dozen complex passwords - and remember them.
This article was first published on October 20, 2014.
Get a copy of The Straits Times or go to straitstimes.com for more stories.