Got a few of these already.
I know you all want to use secure passwords especially after reading this weeks hacks of LinkedIn, eHarmony and LastFM. So why don’t you?
If you use LastPass in your browser, it will happily create 16 character gibberish passwords for you and fill them in automatically.
Unfortunately this all breaks down once you start using your smartphone. Yes, initially it’s ok to look up the password and fill it into the settings of your mail or Twitter application. But when you’re on the road and want to share something from an app to Facebook, the app will often pop up a Facebook login. This is when you need to remember and type that gibberish password, and unfortunately neither LastPass nor any other password manager will fill it in for you.
The same is of course true for desktop apps, like your ERP system. So what do you do? You either use simple passwords that you can easily remember _and_ type on a mobile device, or you think of one really good password and start using it everywhere.
From a security perspective – not what you want. But completely understandable.
iOS and Android need to come up with an API to allow passowrd managers to do their thing. Better still, App developers should start using built-in identity providers like Twitter in iOS 5, or Twitter and Facebook in iOS 6. We have to get rid apps asking for a new password all the time, or password hacks will be a topic that will be with us for a long time.
If you ever tweeted something with “iPad” in the text this probably has happened to you: within a few minutes you’ll receive a tweet like the one above with some cryptic link, or the promise of a new iPad. While I discourage clicking on links in any case (we spent years educating users to verify links from unknown sources, the Twitter and its shortlinks came along…), this just shouls not be possible in the first place.
Behaviour like this should be easy enough to catch, really.
- New account, no or extremely few followers, tweets all @-replies
- Almost all posts include linls, which are mostly identical (or lead to the same site)
If you identify this, block the account for @-replies until they can somehow verify. Or set a quota for the number of followers vs. @-replies.
Really annoying, it’s a disgrace Twitter has not been acting on this yet.