Security's Everyman

Security's Everyman

Monday, April 16, 2007

Identity Management and You

An advisory group that I'm a part of has a discussion going on now regarding Identity management. This is a consumer advisory group so we're not talking enterprise ID management but consumer level. Helping mom and pop manage their various online identities. We all know the need for keeping separate identities for different types of web sites. It would not be advisable for me to use andyitguy for my ebay, banking and other financial sites. Having multiple online identities for different types of web sites is a good idea. I'm afraid that it's not a common practice among mom and pop though.

In my experience mom and pop are using mom and pop for their online identities no matter where they go. Banking, ebay, MySpace and everywhere else they go. Not only are they using the same ID they are using the same password. This is bad. Once the bad guys figure out their user ID and password for one site it isn't hard to figure out where else they go and easily get in there. Even if some sites require a "hard" password it's common practice to use a slight variation of their "normal" password. IE if your normal password is abc123 you may change it to Abc123#.

So where am I going? Back to stressing the need for user education. We have to continue to work on getting the word out to everyone that will listen to us. Those who won't listen have to be "tricked" by getting the word in front of them in other ways. The key is that we can't be quiet. We can't give up. We can't quit. We can work as hard as we are able to secure web sites, protect DNS servers, write secure code and everything else we can think of. That will help, but until we teach users how to surf securely our fight will be more difficult than need be.


decoy said...

I was redirected from Security Catalyst to read your post.
I agree with what you are saying, user training and awareness are key.

The problem is that the people who are vulnerable to ID theft are the ones that don't really care. They would rather finish a project or go foe lunch early than go over awareness training.

That puts it back onto us, the geeks and technologists of the world.
Not to sound stupid but from that old baseball movie... "build it and they will come"
It applies here... if Moore's Law can succeed we can build a solution that can be secure and assist users in protecting their ID's and Data.ks

Andy, ITGuy said...

I agree that there are always going to be those who have an apathetic attitude. There isn't much that can be done about them until they are the victim. Those that I advocate reaching out to is that just don't know better. There are lots and lots of uninformed users. They just turn on the PC and start surfing and emailing. Then as they get used to it the naturally start doing more things but in a insecure way.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.