How a strong BYOD password can make identity theft easier

21 Sep

I regularly take a train journey into London, it takes about an hour an a half.
During this time I learn a great deal from reading, not books, but the laptop of the person sitting next to me.
This is common problem, talked about in many blogs – but on a recent journey I came across a new variant!

The person sitting next to me got her iPad out and was invited to enter their password (they had changed to default 4 characters mode to use a more complex phrase).
Reading passwords from a keyboard (especially a screen based one) as typed is not too difficult. However, most helpfully the iPad decided to display each character as typed on briefly on screen…

Daneila23!

Presumably this is a feature Apple decided would help the user enter the correct password more easily, and I am sure it does. But a side effect is it makes shoulder surfing easy.

This is just another example of a security / usability tradeoff. Daniela obviously cared about security as the default 4 character PIN option had been strengthened, but I doubt the simplicity of reading the stronger password had been considered.
I don’t know if this feature of iPads can be turned off – If it can, Daniela I recommend you do.

I hope the password is unique…

Daniela then proceeded to user her iPad to read her email.
I hope that Daniela has chosen unique passwords, as I could easily see her email address. If the iPad and email password are the same, I now have all I need to access her email. As email is used in most password reset applications, I can now take over her Facebook, Twitter. All too easy.
(see also my blog on the challenges of unique passwords)

What really stuck me about this, is how by making one part of a system more secure (a better iPad password), it significantly strengthened the possibility of breaking into a much larger system (as the now more secure password is more likely to be re-used). All goes to show how complex good security design is, and the need to look at the whole system.

PS: I moved seats before I wrote this article, just in case Daniela was reading.

One Response to “How a strong BYOD password can make identity theft easier”

  1. Paul Prebble November 20, 2012 at 11:44 #

    Surely the weakness here is not the use of a stronger password but the helpful typing system provided? Not being an iPad user I don’t know if the 4 character and stronger entry methods differ.

    Like

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: