Monday, June 22, 2009
Half empty?Although the city of Bozeman, MT has now dropped it's requirement that job seekers, to be considered for a job, must provide login information and passwords for social network sites in which they participate, the story notes: "...the passwords already given by previous applicants will remain the confidential property of the City. "
They admit that it was poor policy to collect them. The ethical thing to do would be to immediately discard them - safely. Until you do that, Bozeman, you're still going to be at the top of the anti-privacy list.
Just one more reason to drop the use of passwords in favor of a biometric authentication. Even Bozeman, I'd hope, wouldn't ask you to leave your finger on file!
Tuesday, April 28, 2009
Government nonsenseMy Network World colleague Mitch Kebay points out that the National Institute of Standards and Technology's Computer Security Division has just published SP 800-118, “DRAFT Guide to Enterprise Password Management” which now awaits comments. Mitch suggests it needs those comments "for improvement," but that shipped has already sailed. The only improvement would have been to not waste the time to write and publish it.
Username/password for enterprise authentication is not only poorly implemented, not only passe but also very dangerous. The ONLY guideline NIST should issue for enterprise passwords is STOP USING THEM.
Of course, with the heavy government involvement in business that the current economic crisis is enabling, a simple ban on username/password or a requirement for strong authentication would make much more sense.
© 2003-2006 The Virtual Quill, All Rights Reserved Home